Moved endpoint to new controller to avoid issue with too hard access requirements (#11264)

* Fixed #11258

Moved endpoint and obsoleted the old one to avoid breaking changes..
The issue is the auth policies cannot be overridden.. You need all of them, and the controller requires you to have access to member types

* Update src/Umbraco.Web.BackOffice/Controllers/MemberTypeQueryController.cs

Co-authored-by: Nikolaj Geisle <[email protected]>

Co-authored-by: Nikolaj Geisle <[email protected]>

Author: bergmania

src/Umbraco.Web.BackOffice/Controllers/BackOfficeServerVariables.cs

@@ -279,6 +279,10 @@ internal async Task<Dictionary<string, object>> GetServerVariablesAsync()
                             "memberTypeApiBaseUrl", _linkGenerator.GetUmbracoApiServiceBaseUrl<MemberTypeController>(
                                 controller => controller.GetAllTypes())
                         },
+                        {
+                            "memberTypeQueryApiBaseUrl", _linkGenerator.GetUmbracoApiServiceBaseUrl<MemberTypeQueryController>(
+                                controller => controller.GetAllTypes())
+                        },
                         {
                             "memberGroupApiBaseUrl", _linkGenerator.GetUmbracoApiServiceBaseUrl<MemberGroupController>(
                                 controller => controller.GetAllGroups())

src/Umbraco.Web.BackOffice/Controllers/MemberTypeController.cs

@@ -182,6 +182,7 @@ public MemberTypeDisplay GetEmpty()
         /// <summary>
         /// Returns all member types
         /// </summary>
+        [Obsolete("Use MemberTypeQueryController.GetAllTypes instead as it only requires AuthorizationPolicies.TreeAccessMembersOrMemberTypes and not both this and AuthorizationPolicies.TreeAccessMemberTypes")]
         [Authorize(Policy = AuthorizationPolicies.TreeAccessMembersOrMemberTypes)]
         public IEnumerable<ContentTypeBasic> GetAllTypes()
         {

src/Umbraco.Web.BackOffice/Controllers/MemberTypeQueryController.cs

@@ -0,0 +1,42 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.AspNetCore.Authorization;
+using Umbraco.Cms.Core.Mapping;
+using Umbraco.Cms.Core.Models;
+using Umbraco.Cms.Core.Models.ContentEditing;
+using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.Authorization;
+using Constants = Umbraco.Cms.Core.Constants;
+
+namespace Umbraco.Cms.Web.BackOffice.Controllers
+{
+    /// <summary>
+    /// An API controller used for dealing with member types
+    /// </summary>
+    [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+    [Authorize(Policy = AuthorizationPolicies.TreeAccessMembersOrMemberTypes)]
+    public class MemberTypeQueryController : BackOfficeNotificationsController
+    {
+        private readonly IMemberTypeService _memberTypeService;
+        private readonly IUmbracoMapper _umbracoMapper;
+
+
+        public MemberTypeQueryController(
+            IMemberTypeService memberTypeService,
+            IUmbracoMapper umbracoMapper)
+        {
+            _memberTypeService = memberTypeService ?? throw new ArgumentNullException(nameof(memberTypeService));
+            _umbracoMapper = umbracoMapper ?? throw new ArgumentNullException(nameof(umbracoMapper));
+        }
+
+        /// <summary>
+        /// Returns all member types
+        /// </summary>
+        public IEnumerable<ContentTypeBasic> GetAllTypes() =>
+            _memberTypeService.GetAll()
+                .Select(_umbracoMapper.Map<IMemberType, ContentTypeBasic>);
+
+    }
+}

src/Umbraco.Web.UI.Client/src/common/resources/membertype.resource.js

@@ -46,10 +46,10 @@ function memberTypeResource($q, $http, umbRequestHelper, umbDataFormatter, local
             return umbRequestHelper.resourcePromise(
                $http.get(
                    umbRequestHelper.getApiUrl(
-                       "memberTypeApiBaseUrl",
+                       "memberTypeQueryApiBaseUrl",
                        "GetAllTypes")),
                'Failed to retrieve data for member types id');
-        },       
+        },
 
         getById: function (id) {