Merge commit from fork

AndyButland · Migaroez · web-flow · commit 7888b9a4ce5a · 2025-03-11T05:11:08.000+01:00
* Bumped version to 10.8.9.

* Fixed parsing of node if in content and media permission querystring handlers to retrieve expected value when multiple are provided in the querystring.

# Conflicts:
#	tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandlerTests.cs
#	tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandlerTests.cs

* Add HttpPost attributes to backoffice endpoints that should only accept post requests.

* Narrow PermissionQueryString parsing to the releveant UmbracoObjectType

* Add missed update from v10

---------

Co-authored-by: Sven Geusens &lt;sge@umbraco.dk&gt;
diff --git a/src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandler.cs b/src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandler.cs
@@ -19,6 +19,8 @@ public class
 {
     private readonly ContentPermissions _contentPermissions;
 
+    protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Document;
+
     /// <summary>
     ///     Initializes a new instance of the <see cref="ContentPermissionsQueryStringHandler" /> class.
     /// </summary>
@@ -47,7 +49,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,
                 return Task.FromResult(true);
             }
 
-            var argument = routeVal.ToString();
+            // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).
+            // It's the first one that'll be processed by the protected method so we should verify that.
+            var argument = routeVal.Count == 1
+                ? routeVal.ToString()
+                : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;
 
             if (!TryParseNodeId(argument, out nodeId))
             {
diff --git a/src/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandler.cs b/src/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandler.cs
@@ -18,6 +18,8 @@ public class MediaPermissionsQueryStringHandler : PermissionsQueryStringHandler<
 {
     private readonly MediaPermissions _mediaPermissions;
 
+    protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Media;
+
     /// <summary>
     ///     Initializes a new instance of the <see cref="MediaPermissionsQueryStringHandler" /> class.
     /// </summary>
@@ -44,7 +46,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,
             return Task.FromResult(true);
         }
 
-        var argument = routeVal.ToString();
+        // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).
+        // It's the first one that'll be processed by the protected method so we should verify that.
+        var argument = routeVal.Count == 1
+            ? routeVal.ToString()
+            : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;
 
         if (!TryParseNodeId(argument, out var nodeId))
         {
diff --git a/src/Umbraco.Web.BackOffice/Authorization/PermissionsQueryStringHandler.cs b/src/Umbraco.Web.BackOffice/Authorization/PermissionsQueryStringHandler.cs
@@ -49,12 +49,18 @@ public PermissionsQueryStringHandler(
     /// </summary>
     protected IEntityService EntityService { get; set; }
 
+    /// <summary>
+    /// Defaults to Unknown so all types are allowed, since Keys are unique across all node types this works,
+    /// but it if you are certain you are looking for a specific type this should be overwritten for DB query performance.
+    /// </summary>
+    protected virtual UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Unknown;
+
     /// <summary>
     ///     Attempts to parse a node ID from a string representation found in a querystring value.
     /// </summary>
     /// <param name="argument">Querystring value.</param>
     /// <param name="nodeId">Output parsed Id.</param>
-    /// <returns>True of node ID could be parased, false it not.</returns>
+    /// <returns>True of node ID could be parsed, false it not.</returns>
     protected bool TryParseNodeId(string argument, out int nodeId)
     {
         // If the argument is an int, it will parse and can be assigned to nodeId.
@@ -75,7 +81,7 @@ protected bool TryParseNodeId(string argument, out int nodeId)
 
         if (Guid.TryParse(argument, out Guid key))
         {
-            nodeId = EntityService.GetId(key, UmbracoObjectTypes.Document).Result;
+            nodeId = EntityService.GetId(key, KeyParsingFilterType).Result;
             return true;
         }
 
diff --git a/src/Umbraco.Web.BackOffice/Controllers/ContentController.cs b/src/Umbraco.Web.BackOffice/Controllers/ContentController.cs
@@ -196,6 +196,7 @@ public IEnumerable<ContentItemDisplay> GetByIds([FromQuery] int[] ids)
     ///     Permission check is done for letter 'R' which is for <see cref="ActionRights" /> which the user must have access to
     ///     update
     /// </remarks>
+    [HttpPost]
     public async Task<ActionResult<IEnumerable<AssignedUserGroupPermissions?>?>> PostSaveUserGroupPermissions(
         UserGroupPermissionsSave saveModel)
     {
@@ -842,6 +843,7 @@ private bool EnsureUniqueName(string? name, IContent? content, string modelName)
     [Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)]
     [FileUploadCleanupFilter]
     [ContentSaveValidation(skipUserAccessValidation:true)] // skip user access validation because we "only" require Settings access to create new blueprints from scratch
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplay<ContentVariantDisplay>?>?> PostSaveBlueprint(
         [ModelBinder(typeof(BlueprintItemBinder))] ContentItemSave contentItem)
     {
@@ -879,6 +881,7 @@ private bool EnsureUniqueName(string? name, IContent? content, string modelName)
     [FileUploadCleanupFilter]
     [ContentSaveValidation]
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplay<ContentVariantScheduleDisplay>?>> PostSave(
         [ModelBinder(typeof(ContentItemBinder))] ContentItemSave contentItem)
     {
@@ -1960,6 +1963,7 @@ private string GetVariantName(string? culture, string? segment)
     ///     does not have Publish access to this node.
     /// </remarks>
     [Authorize(Policy = AuthorizationPolicies.ContentPermissionPublishById)]
+    [HttpPost]
     public IActionResult PostPublishById(int id)
     {
         IContent? foundContent = GetObjectFromRequest(() => _contentService.GetById(id));
@@ -1991,6 +1995,7 @@ public IActionResult PostPublishById(int id)
     ///     does not have Publish access to this node.
     /// </remarks>
     [Authorize(Policy = AuthorizationPolicies.ContentPermissionPublishById)]
+    [HttpPost]
     public IActionResult PostPublishByIdAndCulture(PublishContent model)
     {
         var languageCount = _allLangs.Value.Count();
@@ -2114,6 +2119,7 @@ public IActionResult EmptyRecycleBin()
     /// </summary>
     /// <param name="sorted"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     {
         if (sorted == null)
@@ -2165,6 +2171,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// </summary>
     /// <param name="move"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult?> PostMove(MoveOrCopy move)
     {
         // Authorize...
@@ -2199,6 +2206,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// </summary>
     /// <param name="copy"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<ActionResult<IContent>?> PostCopy(MoveOrCopy copy)
     {
         // Authorize...
@@ -2238,6 +2246,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// <param name="model">The content and variants to unpublish</param>
     /// <returns></returns>
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplayWithSchedule?>> PostUnpublish(UnpublishContent model)
     {
         IContent? foundContent = _contentService.GetById(model.Id);
@@ -2960,6 +2969,7 @@ public ActionResult<IEnumerable<NotifySetting>> GetNotificationOptions(int conte
         return notifications;
     }
 
+    [HttpPost]
     public IActionResult PostNotificationOptions(
         int contentId,
         [FromQuery(Name = "notifyOptions[]")] string[] notifyOptions)
diff --git a/src/Umbraco.Web.BackOffice/Controllers/MediaController.cs b/src/Umbraco.Web.BackOffice/Controllers/MediaController.cs
@@ -385,6 +385,7 @@ public IActionResult DeleteById(int id)
     /// </summary>
     /// <param name="move"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostMove(MoveOrCopy move)
     {
         // Authorize...
@@ -432,6 +433,7 @@ public async Task<IActionResult> PostMove(MoveOrCopy move)
     [FileUploadCleanupFilter]
     [MediaItemSaveValidation]
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public ActionResult<MediaItemDisplay?>? PostSave(
         [ModelBinder(typeof(MediaItemBinder))] MediaItemSave contentItem)
     {
@@ -547,6 +549,7 @@ public IActionResult EmptyRecycleBin()
     /// </summary>
     /// <param name="sorted"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     {
         if (sorted == null)
@@ -592,6 +595,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
         }
     }
 
+    [HttpPost]
     public async Task<ActionResult<MediaItemDisplay?>> PostAddFolder(PostedFolder folder)
     {
         ActionResult<int?>? parentIdResult = await GetParentIdAsIntAsync(folder.ParentId, true);
@@ -625,6 +629,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// <remarks>
     ///     We cannot validate this request with attributes (nicely) due to the nature of the multi-part for data.
     /// </remarks>
+    [HttpPost]
     public async Task<IActionResult> PostAddFile([FromForm] string path, [FromForm] string currentFolder,
         [FromForm] string contentTypeAlias, List<IFormFile> file)
     {
diff --git a/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandlerTests.cs b/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandlerTests.cs
@@ -2,9 +2,7 @@
 // See LICENSE for more details.
 
 using System;
-using System.Collections.Generic;
 using System.Security.Claims;
-using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Primitives;
@@ -35,7 +33,7 @@ public class ContentPermissionsQueryStringHandlerTests
     public async Task Node_Id_From_Requirement_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext(NodeId);
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue();
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -47,7 +45,7 @@ public async Task Node_Id_From_Requirement_With_Permission_Is_Authorized()
     public async Task Node_Id_From_Requirement_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext(NodeId);
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue();
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -60,7 +58,7 @@ public async Task Node_Id_From_Requirement_Without_Permission_Is_Not_Authorized(
     public async Task Node_Id_Missing_From_Requirement_And_QueryString_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor("xxx");
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue("xxx");
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -72,7 +70,7 @@ public async Task Node_Id_Missing_From_Requirement_And_QueryString_Is_Authorized
     public async Task Node_Integer_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: NodeId.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: NodeId.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -85,7 +83,21 @@ public async Task Node_Integer_Id_From_QueryString_With_Permission_Is_Authorized
     public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: NodeId.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: NodeId.ToString());
+        var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
+
+        await sut.HandleAsync(authHandlerContext);
+
+        Assert.IsFalse(authHandlerContext.HasSucceeded);
+        AssertContentCached(mockHttpContextAccessor);
+    }
+
+    [Test]
+    public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Authorized_Even_When_Additional_Parameter_For_Id_With_Permission_Is_Provided()
+    {
+        // Provides initially failing test and verifies fix for advisory https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698
+        var authHandlerContext = CreateAuthorizationHandlerContext();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValues(queryStringValues: new[] { NodeId.ToString(), 1001.ToString() });
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -98,7 +110,7 @@ public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Aut
     public async Task Node_Udi_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeUdi.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeUdi.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -111,7 +123,7 @@ public async Task Node_Udi_Id_From_QueryString_With_Permission_Is_Authorized()
     public async Task Node_Udi_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeUdi.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeUdi.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -124,7 +136,7 @@ public async Task Node_Udi_Id_From_QueryString_Without_Permission_Is_Not_Authori
     public async Task Node_Guid_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeGuid.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeGuid.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -137,7 +149,7 @@ public async Task Node_Guid_Id_From_QueryString_With_Permission_Is_Authorized()
     public async Task Node_Guid_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeGuid.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeGuid.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -150,7 +162,7 @@ public async Task Node_Guid_Id_From_QueryString_Without_Permission_Is_Not_Author
     public async Task Node_Invalid_Id_From_QueryString_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: "invalid");
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: "invalid");
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -169,14 +181,20 @@ private static AuthorizationHandlerContext CreateAuthorizationHandlerContext(int
         return new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement }, user, resource);
     }
 
-    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessor(
+    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessorWithQueryStringValue(
         string queryStringName = QueryStringName,
         string queryStringValue = "")
+        => CreateMockHttpContextAccessorWithQueryStringValues(queryStringName, new[] { queryStringValue });
+
+    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessorWithQueryStringValues(
+        string queryStringName = QueryStringName,
+        string[]? queryStringValues = null)
     {
+        queryStringValues ??= Array.Empty<string>();
         var mockHttpContextAccessor = new Mock<IHttpContextAccessor>();
         var mockHttpContext = new Mock<HttpContext>();
         var mockHttpRequest = new Mock<HttpRequest>();
-        var queryParams = new Dictionary<string, StringValues> { { queryStringName, queryStringValue } };
+        var queryParams = new Dictionary<string, StringValues> { { queryStringName, new StringValues(queryStringValues) } };
         mockHttpRequest.SetupGet(x => x.Query).Returns(new QueryCollection(queryParams));
         mockHttpContext.SetupGet(x => x.Request).Returns(mockHttpRequest.Object);
         mockHttpContext.SetupGet(x => x.Items).Returns(new Dictionary<object, object>());
diff --git a/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandlerTests.cs b/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandlerTests.cs
diff --git a/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsResourceHandlerTests.cs b/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsResourceHandlerTests.cs
diff --git a/version.json b/version.json

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,8 @@ public class`
`19`	`19`	`{`
`20`	`20`	`private readonly ContentPermissions _contentPermissions;`
`21`	`21`
	`22`	`+ protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Document;`
	`23`	`+`
`22`	`24`	`/// <summary>`
`23`	`25`	`/// Initializes a new instance of the <see cref="ContentPermissionsQueryStringHandler" /> class.`
`24`	`26`	`/// </summary>`
`@@ -47,7 +49,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,`
`47`	`49`	`return Task.FromResult(true);`
`48`	`50`	`}`
`49`	`51`
`50`		`- var argument = routeVal.ToString();`
	`52`	`+ // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).`
	`53`	`+ // It's the first one that'll be processed by the protected method so we should verify that.`
	`54`	`+ var argument = routeVal.Count == 1`
	`55`	`+ ? routeVal.ToString()`
	`56`	`+ : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;`
`51`	`57`
`52`	`58`	`if (!TryParseNodeId(argument, out nodeId))`
`53`	`59`	`{`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ public class MediaPermissionsQueryStringHandler : PermissionsQueryStringHandler<`
`18`	`18`	`{`
`19`	`19`	`private readonly MediaPermissions _mediaPermissions;`
`20`	`20`
	`21`	`+ protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Media;`
	`22`	`+`
`21`	`23`	`/// <summary>`
`22`	`24`	`/// Initializes a new instance of the <see cref="MediaPermissionsQueryStringHandler" /> class.`
`23`	`25`	`/// </summary>`
`@@ -44,7 +46,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,`
`44`	`46`	`return Task.FromResult(true);`
`45`	`47`	`}`
`46`	`48`
`47`		`- var argument = routeVal.ToString();`
	`49`	`+ // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).`
	`50`	`+ // It's the first one that'll be processed by the protected method so we should verify that.`
	`51`	`+ var argument = routeVal.Count == 1`
	`52`	`+ ? routeVal.ToString()`
	`53`	`+ : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;`
`48`	`54`
`49`	`55`	`if (!TryParseNodeId(argument, out var nodeId))`
`50`	`56`	`{`
Original file line number	Diff line number	Diff line change
`@@ -385,6 +385,7 @@ public IActionResult DeleteById(int id)`
`385`	`385`	`/// </summary>`
`386`	`386`	`/// <param name="move"></param>`
`387`	`387`	`/// <returns></returns>`
	`388`	`+ [HttpPost]`
`388`	`389`	`public async Task<IActionResult> PostMove(MoveOrCopy move)`
`389`	`390`	`{`
`390`	`391`	`// Authorize...`
`@@ -432,6 +433,7 @@ public async Task<IActionResult> PostMove(MoveOrCopy move)`
`432`	`433`	`[FileUploadCleanupFilter]`
`433`	`434`	`[MediaItemSaveValidation]`
`434`	`435`	`[OutgoingEditorModelEvent]`
	`436`	`+ [HttpPost]`
`435`	`437`	`public ActionResult<MediaItemDisplay?>? PostSave(`
`436`	`438`	`[ModelBinder(typeof(MediaItemBinder))] MediaItemSave contentItem)`
`437`	`439`	`{`
`@@ -547,6 +549,7 @@ public IActionResult EmptyRecycleBin()`
`547`	`549`	`/// </summary>`
`548`	`550`	`/// <param name="sorted"></param>`
`549`	`551`	`/// <returns></returns>`
	`552`	`+ [HttpPost]`
`550`	`553`	`public async Task<IActionResult> PostSort(ContentSortOrder sorted)`
`551`	`554`	`{`
`552`	`555`	`if (sorted == null)`
`@@ -592,6 +595,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)`
`592`	`595`	`}`
`593`	`596`	`}`
`594`	`597`
	`598`	`+ [HttpPost]`
`595`	`599`	`public async Task<ActionResult<MediaItemDisplay?>> PostAddFolder(PostedFolder folder)`
`596`	`600`	`{`
`597`	`601`	`ActionResult<int?>? parentIdResult = await GetParentIdAsIntAsync(folder.ParentId, true);`
`@@ -625,6 +629,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)`
`625`	`629`	`/// <remarks>`
`626`	`630`	`/// We cannot validate this request with attributes (nicely) due to the nature of the multi-part for data.`
`627`	`631`	`/// </remarks>`
	`632`	`+ [HttpPost]`
`628`	`633`	`public async Task<IActionResult> PostAddFile([FromForm] string path, [FromForm] string currentFolder,`
`629`	`634`	`[FromForm] string contentTypeAlias, List<IFormFile> file)`
`630`	`635`	`{`