return always PickedColor type | instance

build/azure-pipelines.yml

@@ -432,6 +432,33 @@ stages:
             displayName: Start SQL Server Docker image (Linux)
             condition: and(succeeded(), eq(variables['Agent.OS'], 'Linux'))
 
+          - powershell: |
+              $maxAttempts = 12
+              $attempt = 0
+              $status = ""
+
+              while (($status -ne 'running') -and ($attempt -lt $maxAttempts)) {
+                Start-Sleep -Seconds 5
+                # We use the docker inspect command to check the status of the container. If the container is not running, we wait 5 seconds and try again. And if reaches 12 attempts, we fail the build.
+                $status = docker inspect -f '{{.State.Status}}' mssql
+
+                if ($status -ne 'running') {
+                  Write-Host "Waiting for SQL Server to be ready... Attempt $($attempt + 1)"
+                  $attempt++
+                }
+              }
+
+              if ($status -eq 'running') {
+                Write-Host "SQL Server container is running"
+                docker ps -a
+              } else {
+                Write-Host "SQL Server did not become ready in time. Last known status: $status"
+                docker logs mssql
+                exit 1
+              }
+            displayName: Wait for SQL Server to be ready (Linux)
+            condition: and(succeeded(), eq(variables['Agent.OS'], 'Linux'))
+
           - pwsh: SqlLocalDB start MSSQLLocalDB
             displayName: Start SQL Server LocalDB (Windows)
             condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT'))

build/nightly-E2E-test-pipelines.yml

@@ -8,10 +8,17 @@ schedules:
     displayName: Daily midnight build
     branches:
       include:
-        - v14/dev
         - v15/dev
+        - release/16.0
         - main
 
+parameters:
+    # Skipped due to DB locks
+  - name: sqliteAcceptanceTests
+    displayName: Run SQLite Acceptance Tests
+    type: boolean
+    default: false
+
 variables:
   nodeVersion: 20
   solution: umbraco.sln
@@ -122,6 +129,8 @@ stages:
       # E2E Tests
       - job:
         displayName: E2E Tests (SQLite)
+        # currently disabled due to DB locks randomly occuring.
+        condition: eq(${{parameters.sqliteAcceptanceTests}}, True)
         timeoutInMinutes: 180
         variables:
           # Connection string
@@ -291,17 +300,17 @@ stages:
               testCommand: "npm run testSqlite -- --shard=1/3"
               vmImage: "ubuntu-latest"
               SA_PASSWORD: $(UMBRACO__CMS__UNATTENDED__UNATTENDEDUSERPASSWORD)
-              CONNECTIONSTRINGS__UMBRACODBDSN: "Server=(local);Database=Umbraco;User Id=sa;Password=$(SA_PASSWORD);TrustServerCertificate=True"
+              CONNECTIONSTRINGS__UMBRACODBDSN: "Server=(local);Database=Umbraco;User Id=sa;Password=$(SA_PASSWORD);Encrypt=True;TrustServerCertificate=True"
             LinuxPart2Of3:
               testCommand: "npm run testSqlite -- --shard=2/3"
               vmImage: "ubuntu-latest"
               SA_PASSWORD: $(UMBRACO__CMS__UNATTENDED__UNATTENDEDUSERPASSWORD)
-              CONNECTIONSTRINGS__UMBRACODBDSN: "Server=(local);Database=Umbraco;User Id=sa;Password=$(SA_PASSWORD);TrustServerCertificate=True"
+              CONNECTIONSTRINGS__UMBRACODBDSN: "Server=(local);Database=Umbraco;User Id=sa;Password=$(SA_PASSWORD);Encrypt=True;TrustServerCertificate=True"
             LinuxPart3Of3:
               testCommand: "npm run testSqlite -- --shard=3/3"
               vmImage: "ubuntu-latest"
               SA_PASSWORD: $(UMBRACO__CMS__UNATTENDED__UNATTENDEDUSERPASSWORD)
-              CONNECTIONSTRINGS__UMBRACODBDSN: "Server=(local);Database=Umbraco;User Id=sa;Password=$(SA_PASSWORD);TrustServerCertificate=True"
+              CONNECTIONSTRINGS__UMBRACODBDSN: "Server=(local);Database=Umbraco;User Id=sa;Password=$(SA_PASSWORD);Encrypt=True;TrustServerCertificate=True"
             WindowsPart1Of3:
               vmImage: "windows-latest"
               testCommand: "npm run testSqlite -- --shard=1/3"

src/Umbraco.Cms.Api.Management/Controllers/Document/CopyDocumentController.cs

@@ -1,4 +1,4 @@
-using Asp.Versioning;
+using Asp.Versioning;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
@@ -42,12 +42,16 @@ public async Task<IActionResult> Copy(
         Guid id,
         CopyDocumentRequestModel copyDocumentRequestModel)
     {
-        AuthorizationResult authorizationResult = await _authorizationService.AuthorizeResourceAsync(
+        AuthorizationResult sourceAuthorizationResult = await _authorizationService.AuthorizeResourceAsync(
             User,
-            ContentPermissionResource.WithKeys(ActionCopy.ActionLetter, new[] { copyDocumentRequestModel.Target?.Id, id }),
+            ContentPermissionResource.WithKeys(ActionCopy.ActionLetter, [id]),
+            AuthorizationPolicies.ContentPermissionByResource);
+        AuthorizationResult destinationAuthorizationResult = await _authorizationService.AuthorizeResourceAsync(
+            User,
+            ContentPermissionResource.WithKeys(ActionNew.ActionLetter, [copyDocumentRequestModel.Target?.Id]),
             AuthorizationPolicies.ContentPermissionByResource);
 
-        if (!authorizationResult.Succeeded)
+        if (sourceAuthorizationResult.Succeeded is false || destinationAuthorizationResult.Succeeded is false)
         {
             return Forbidden();
         }

src/Umbraco.Cms.Api.Management/Controllers/Document/Item/SearchDocumentItemController.cs

@@ -28,12 +28,13 @@ public async Task<IActionResult> SearchWithTrashed(
         CancellationToken cancellationToken,
         string query,
         bool? trashed = null,
+        string? culture = null,
         int skip = 0,
         int take = 100,
         Guid? parentId = null,
         [FromQuery] IEnumerable<Guid>? allowedDocumentTypes = null)
     {
-        PagedModel<IEntitySlim> searchResult = await _indexedEntitySearchService.SearchAsync(UmbracoObjectTypes.Document, query, parentId, allowedDocumentTypes, trashed, skip, take);
+        PagedModel<IEntitySlim> searchResult = await _indexedEntitySearchService.SearchAsync(UmbracoObjectTypes.Document, query, parentId, allowedDocumentTypes, trashed, culture, skip, take);
         var result = new PagedModel<DocumentItemResponseModel>
         {
             Items = searchResult.Items.OfType<IDocumentEntitySlim>().Select(_documentPresentationFactory.CreateItemResponseModel),

src/Umbraco.Cms.Api.Management/Controllers/Document/MoveDocumentController.cs

@@ -1,4 +1,4 @@
-using Asp.Versioning;
+using Asp.Versioning;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
@@ -39,6 +39,20 @@ public MoveDocumentController(
     [ProducesResponseType(typeof(ProblemDetails), StatusCodes.Status404NotFound)]
     public async Task<IActionResult> Move(CancellationToken cancellationToken, Guid id, MoveDocumentRequestModel moveDocumentRequestModel)
     {
+        AuthorizationResult sourceAuthorizationResult = await _authorizationService.AuthorizeResourceAsync(
+            User,
+            ContentPermissionResource.WithKeys(ActionMove.ActionLetter, [id]),
+            AuthorizationPolicies.ContentPermissionByResource);
+        AuthorizationResult destinationAuthorizationResult = await _authorizationService.AuthorizeResourceAsync(
+            User,
+            ContentPermissionResource.WithKeys(ActionNew.ActionLetter, [moveDocumentRequestModel.Target?.Id]),
+            AuthorizationPolicies.ContentPermissionByResource);
+
+        if (sourceAuthorizationResult.Succeeded is false || destinationAuthorizationResult.Succeeded is false)
+        {
+            return Forbidden();
+        }
+
         AuthorizationResult authorizationResult = await _authorizationService.AuthorizeResourceAsync(
             User,
             ContentPermissionResource.WithKeys(ActionMove.ActionLetter, new[] { moveDocumentRequestModel.Target?.Id, id }),

src/Umbraco.Cms.Api.Management/Controllers/Media/Item/SearchMediaItemController.cs

@@ -21,17 +21,20 @@
         _mediaPresentationFactory = mediaPresentationFactory;
     }
 
-    [NonAction]
-    [Obsolete("Scheduled to be removed in v16, use the non obsoleted method instead")]
-    public Task<IActionResult> SearchFromParentWithAllowedTypes(CancellationToken cancellationToken, string query, int skip = 0, int take = 100, Guid? parentId = null, [FromQuery]IEnumerable<Guid>? allowedMediaTypes = null)
-        => SearchFromParentWithAllowedTypes(cancellationToken, query, null, skip, take, parentId);
-
     [HttpGet("search")]
     [MapToApiVersion("1.0")]
     [ProducesResponseType(typeof(PagedModel<MediaItemResponseModel>), StatusCodes.Status200OK)]
-    public async Task<IActionResult> SearchFromParentWithAllowedTypes(CancellationToken cancellationToken, string query, bool? trashed = null, int skip = 0, int take = 100, Guid? parentId = null, [FromQuery]IEnumerable<Guid>? allowedMediaTypes = null)
+    public async Task<IActionResult> SearchFromParentWithAllowedTypes(
+        CancellationToken cancellationToken,
+        string query,
+        bool? trashed = null,
+        string? culture = null,
+        int skip = 0,
+        int take = 100,
+        Guid? parentId = null,
+        [FromQuery]IEnumerable<Guid>? allowedMediaTypes = null)
     {
-        PagedModel<IEntitySlim> searchResult = await _indexedEntitySearchService.SearchAsync(UmbracoObjectTypes.Media, query, parentId, allowedMediaTypes, trashed, skip, take);
+        PagedModel<IEntitySlim> searchResult = await _indexedEntitySearchService.SearchAsync(UmbracoObjectTypes.Media, query, parentId, allowedMediaTypes, trashed, culture, skip, take);
         var result = new PagedModel<MediaItemResponseModel>
         {
             Items = searchResult.Items.OfType<IMediaEntitySlim>().Select(_mediaPresentationFactory.CreateItemResponseModel),

src/Umbraco.Cms.Api.Management/Controllers/Segment/AllSegmentController.cs

@@ -14,7 +14,6 @@
 namespace Umbraco.Cms.Api.Management.Controllers.Segment;
 
 [ApiVersion("1.0")]
-[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class AllSegmentController : SegmentControllerBase
 {
     private readonly ISegmentService _segmentService;

src/Umbraco.Cms.Api.Management/DependencyInjection/UmbracoBuilder.BackOfficeIdentity.cs

@@ -3,6 +3,7 @@
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Umbraco.Cms.Api.Management.NotificationHandlers;
 using Umbraco.Cms.Api.Management.Security;
 using Umbraco.Cms.Api.Management.Services;
 using Umbraco.Cms.Api.Management.Telemetry;
@@ -12,6 +13,7 @@
 using Umbraco.Cms.Core.Events;
 using Umbraco.Cms.Core.Mapping;
 using Umbraco.Cms.Core.Net;
+using Umbraco.Cms.Core.Notifications;
 using Umbraco.Cms.Core.Persistence.Repositories;
 using Umbraco.Cms.Core.Scoping;
 using Umbraco.Cms.Core.Security;
@@ -74,6 +76,9 @@ public static IUmbracoBuilder AddBackOfficeIdentity(this IUmbracoBuilder builder
 
         services.AddScoped<IBackOfficeExternalLoginService, BackOfficeExternalLoginService>();
 
+        // Register a notification handler to interrogate the registered external login providers at startup.
+        builder.AddNotificationHandler<UmbracoApplicationStartingNotification, ExternalLoginProviderStartupHandler>();
+
         return builder;
     }
 

src/Umbraco.Cms.Api.Management/Factories/DocumentVersionPresentationFactory.cs

@@ -1,5 +1,6 @@
 using Umbraco.Cms.Api.Management.ViewModels;
 using Umbraco.Cms.Api.Management.ViewModels.Document;
+using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Extensions;
@@ -19,17 +20,26 @@ public DocumentVersionPresentationFactory(
         _userIdKeyResolver = userIdKeyResolver;
     }
 
-    public async Task<DocumentVersionItemResponseModel> CreateAsync(ContentVersionMeta contentVersion) =>
-        new(
+    public async Task<DocumentVersionItemResponseModel> CreateAsync(ContentVersionMeta contentVersion)
+    {
+        ReferenceByIdModel userReference = contentVersion.UserId switch
+        {
+            Constants.Security.UnknownUserId => new ReferenceByIdModel(),
+            _ => new ReferenceByIdModel(await _userIdKeyResolver.GetAsync(contentVersion.UserId)),
+        };
+
+        return new DocumentVersionItemResponseModel(
             contentVersion.VersionId.ToGuid(), // this is a magic guid since versions do not have keys in the DB
             new ReferenceByIdModel(_entityService.GetKey(contentVersion.ContentId, UmbracoObjectTypes.Document).Result),
-            new ReferenceByIdModel(_entityService.GetKey(contentVersion.ContentTypeId, UmbracoObjectTypes.DocumentType)
-                .Result),
-            new ReferenceByIdModel(await _userIdKeyResolver.GetAsync(contentVersion.UserId)),
+            new ReferenceByIdModel(
+                _entityService.GetKey(contentVersion.ContentTypeId, UmbracoObjectTypes.DocumentType)
+                    .Result),
+            userReference,
             new DateTimeOffset(contentVersion.VersionDate),
             contentVersion.CurrentPublishedVersion,
             contentVersion.CurrentDraftVersion,
             contentVersion.PreventCleanup);
+    }
 
     public async Task<IEnumerable<DocumentVersionItemResponseModel>> CreateMultipleAsync(IEnumerable<ContentVersionMeta> contentVersions)
         => await CreateMultipleImplAsync(contentVersions).ToArrayAsync();

src/Umbraco.Cms.Api.Management/NotificationHandlers/ExternalLoginProviderStartupHandler.cs

@@ -0,0 +1,44 @@
+using Umbraco.Cms.Api.Management.Security;
+using Umbraco.Cms.Core;
+using Umbraco.Cms.Core.Events;
+using Umbraco.Cms.Core.Notifications;
+using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Core.Sync;
+
+namespace Umbraco.Cms.Api.Management.NotificationHandlers;
+
+/// <summary>
+/// Invalidates backoffice sessions and clears external logins for removed providers if the external login
+/// provider setup has changed.
+/// </summary>
+internal sealed class ExternalLoginProviderStartupHandler : INotificationHandler<UmbracoApplicationStartingNotification>
+{
+    private readonly IBackOfficeExternalLoginProviders _backOfficeExternalLoginProviders;
+    private readonly IRuntimeState _runtimeState;
+    private readonly IServerRoleAccessor _serverRoleAccessor;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="ExternalLoginProviderStartupHandler"/> class.
+    /// </summary>
+    public ExternalLoginProviderStartupHandler(
+        IBackOfficeExternalLoginProviders backOfficeExternalLoginProviders,
+        IRuntimeState runtimeState,
+        IServerRoleAccessor serverRoleAccessor)
+    {
+        _backOfficeExternalLoginProviders = backOfficeExternalLoginProviders;
+        _runtimeState = runtimeState;
+        _serverRoleAccessor = serverRoleAccessor;
+    }
+
+    /// <inheritdoc/>
+    public void Handle(UmbracoApplicationStartingNotification notification)
+    {
+        if (_runtimeState.Level != RuntimeLevel.Run ||
+            _serverRoleAccessor.CurrentServerRole == ServerRole.Subscriber)
+        {
+            return;
+        }
+
+        _backOfficeExternalLoginProviders.InvalidateSessionsIfExternalLoginProvidersChanged();
+    }
+}

src/Umbraco.Cms.Api.Management/OpenApi.json

@@ -10159,6 +10159,13 @@
               "type": "boolean"
             }
           },
+          {
+            "name": "culture",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
           {
             "name": "skip",
             "in": "query",
@@ -15918,6 +15925,13 @@
               "type": "boolean"
             }
           },
+          {
+            "name": "culture",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
           {
             "name": "skip",
             "in": "query",

src/Umbraco.Cms.Api.Management/Security/BackOfficeExternalLoginProviders.cs

@@ -1,5 +1,9 @@
 using Microsoft.AspNetCore.Authentication;
 using Umbraco.Cms.Core.Security;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Umbraco.Cms.Core.DependencyInjection;
+using Umbraco.Cms.Core.Services;
 
 namespace Umbraco.Cms.Api.Management.Security;
 
@@ -8,13 +12,37 @@ public class BackOfficeExternalLoginProviders : IBackOfficeExternalLoginProvider
 {
     private readonly IAuthenticationSchemeProvider _authenticationSchemeProvider;
     private readonly Dictionary<string, BackOfficeExternalLoginProvider> _externalLogins;
+    private readonly IKeyValueService _keyValueService;
+    private readonly IExternalLoginWithKeyService _externalLoginWithKeyService;
+    private readonly ILogger<BackOfficeExternalLoginProviders> _logger;
 
+    private const string ExternalLoginProvidersKey = "Umbraco.Cms.Web.BackOffice.Security.BackOfficeExternalLoginProviders";
+
+    [Obsolete("Please use the constructor taking all parameters. Scheduled for removal in Umbraco 17.")]
     public BackOfficeExternalLoginProviders(
         IEnumerable<BackOfficeExternalLoginProvider> externalLogins,
         IAuthenticationSchemeProvider authenticationSchemeProvider)
+        : this(
+              externalLogins,
+              authenticationSchemeProvider,
+              StaticServiceProvider.Instance.GetRequiredService<IKeyValueService>(),
+              StaticServiceProvider.Instance.GetRequiredService<IExternalLoginWithKeyService>(),
+              StaticServiceProvider.Instance.GetRequiredService<ILogger<BackOfficeExternalLoginProviders>>())
+    {
+    }
+
+    public BackOfficeExternalLoginProviders(
+        IEnumerable<BackOfficeExternalLoginProvider> externalLogins,
+        IAuthenticationSchemeProvider authenticationSchemeProvider,
+        IKeyValueService keyValueService,
+        IExternalLoginWithKeyService externalLoginWithKeyService,
+        ILogger<BackOfficeExternalLoginProviders> logger)
     {
         _externalLogins = externalLogins.ToDictionary(x => x.AuthenticationType);
         _authenticationSchemeProvider = authenticationSchemeProvider;
+        _keyValueService = keyValueService;
+        _externalLoginWithKeyService = externalLoginWithKeyService;
+        _logger = logger;
     }
 
     /// <inheritdoc />
@@ -60,4 +88,25 @@ public bool HasDenyLocalLogin()
         var found = _externalLogins.Values.Where(x => x.Options.DenyLocalLogin).ToList();
         return found.Count > 0;
     }
+
+    /// <inheritdoc />
+    public void InvalidateSessionsIfExternalLoginProvidersChanged()
+    {
+        var previousExternalLoginProvidersValue = _keyValueService.GetValue(ExternalLoginProvidersKey);
+        var currentExternalLoginProvidersValue = string.Join("|", _externalLogins.Keys.OrderBy(key => key));
+
+        if ((previousExternalLoginProvidersValue ?? string.Empty) != currentExternalLoginProvidersValue)
+        {
+            _logger.LogWarning(
+                "The configured external login providers have changed. Existing backoffice sessions using the removed providers will be invalidated and external login data removed.");
+
+            _externalLoginWithKeyService.PurgeLoginsForRemovedProviders(_externalLogins.Keys);
+
+            _keyValueService.SetValue(ExternalLoginProvidersKey, currentExternalLoginProvidersValue);
+        }
+        else if (previousExternalLoginProvidersValue is null)
+        {
+            _keyValueService.SetValue(ExternalLoginProvidersKey, string.Empty);
+        }
+    }
 }