Merge remote-tracking branch 'origin/release/10.8.7' into v10/dev

# Conflicts:
#	version.json

Author: Zeegaan

src/Directory.Packages.props

@@ -48,7 +48,7 @@
     <PackageVersion Include="Serilog.Sinks.Async" Version="1.5.0" />
     <PackageVersion Include="Serilog.Sinks.File" Version="5.0.0" />
     <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
-    <PackageVersion Include="SixLabors.ImageSharp" Version="2.1.7" />
+    <PackageVersion Include="SixLabors.ImageSharp" Version="2.1.9" />
     <PackageVersion Include="SixLabors.ImageSharp.Web" Version="2.0.2" />
     <PackageVersion Include="Smidge.InMemory" Version="4.3.0" />
     <PackageVersion Include="Smidge.Nuglify" Version="4.2.1" />
@@ -64,4 +64,4 @@
     <PackageVersion Include="System.Security.Cryptography.Xml" Version="6.0.1" />
     <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
   </ItemGroup>
-</Project>
+</Project>

src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs

@@ -59,6 +59,14 @@ public static async Task<AuthenticateResult> AuthenticateBackOfficeAsync(this Ht
                 await httpContext.AuthenticateAsync(Constants.Security.BackOfficeExternalAuthenticationType);
         }
 
+        // Update the HttpContext's user with the authenticated user's principal to ensure
+        // that subsequent requests within the same context will recognize the user
+        // as authenticated.
+        if (result.Succeeded)
+        {
+            httpContext.User = result.Principal;
+        }
+
         return result;
     }
 

src/Umbraco.Web.UI.Client/src/common/directives/components/media/umbmedianodeinfo.directive.js

@@ -69,15 +69,7 @@
                 editorService.mediaTypeEditor(editor);
             };
 
-            scope.openSVG = () => {
-                var popup = window.open('', '_blank');
-                var html = '<!DOCTYPE html><body><img src="' + scope.nodeUrl + '"/>' +
-                    '<script>history.pushState(null, null,"' + $location.$$absUrl + '");</script></body>';
-                
-                popup.document.open();
-                popup.document.write(html);
-                popup.document.close();
-            }
+          scope.openSVG = () => mediaHelper.openSVG(scope.nodeUrl);
 
             // watch for content updates - reload content when node is saved, published etc.
             scope.$watch('node.updateDate', function(newValue, oldValue){

src/Umbraco.Web.UI.Client/src/common/services/mediahelper.service.js

@@ -3,7 +3,7 @@
 * @name umbraco.services.mediaHelper
 * @description A helper object used for dealing with media items
 **/
-function mediaHelper(umbRequestHelper, $http, $log) {
+function mediaHelper(umbRequestHelper, $http, $log, $location) {
 
     //container of fileresolvers
     var _mediaFileResolvers = {};
@@ -449,7 +449,29 @@ function mediaHelper(umbRequestHelper, $http, $log) {
                             cropY2: options.crop ? options.crop.y2 : null
                         })),
                 "Failed to retrieve processed image URL for image: " + imagePath);
-        }
+      },
+
+      /**
+        * @ngdoc function
+        * @name umbraco.services.mediaHelper#openSVG
+        * @methodOf umbraco.services.mediaHelper
+        * @function
+        *
+        * @description
+        * Opens an SVG file in a new window as an image file, to prevent any potential XSS exploits.
+        *
+        * @param {string} imagePath File path, ex /media/1234/my-image.svg
+        */
+      openSVG: function (imagePath) {
+        var popup = window.open('', '_blank');
+        var html = '<!DOCTYPE html><body style="background-image: linear-gradient(45deg, #ccc 25%, transparent 25%), linear-gradient(135deg, #ccc 25%, transparent 25%), linear-gradient(45deg, transparent 75%, #ccc 75%), linear-gradient(135deg, transparent 75%, #ccc 75%); background-size:30px 30px; background-position:0 0, 15px 0, 15px -15px, 0px 15px;">'
+          + '<img src="' + imagePath + '"/>'
+          + '<script>history.pushState(null, null,"' + $location.$$absUrl + '");</script></body>';
+
+        popup.document.open();
+        popup.document.write(html);
+        popup.document.close();
+      }
 
     };
 } angular.module('umbraco.services').factory('mediaHelper', mediaHelper);

src/Umbraco.Web.UI.Client/src/common/services/user.service.js

@@ -3,6 +3,7 @@ angular.module('umbraco.services')
 
         var currentUser = null;
         var lastUserId = null;
+        var countdownCounter = null;
 
         //this tracks the last date/time that the user's remainingAuthSeconds was updated from the server
         // this is used so that we know when to go and get the user's remaining seconds directly.
@@ -43,6 +44,10 @@ angular.module('umbraco.services')
             }
             currentUser = usr;
             lastServerTimeoutSet = new Date();
+            //don't start the timer if it is already going
+            if (countdownCounter) {
+                return;
+            }
             //start the timer
             countdownUserTimeout();
         }
@@ -54,23 +59,23 @@ angular.module('umbraco.services')
         */
         function countdownUserTimeout() {
 
-            $timeout(function () {
+            countdownCounter = $timeout(function () {
 
                 if (currentUser) {
                     //countdown by 5 seconds since that is how long our timer is for.
                     currentUser.remainingAuthSeconds -= 5;
 
-                    //if there are more than 30 remaining seconds, recurse!
-                    if (currentUser.remainingAuthSeconds > 30) {
+                    //if there are more than 20 remaining seconds, recurse!
+                    if (currentUser.remainingAuthSeconds > 20) {
 
                         //we need to check when the last time the timeout was set from the server, if
-                        // it has been more than 30 seconds then we'll manually go and retrieve it from the
+                        // it has been more than 20 seconds then we'll manually go and retrieve it from the
                         // server - this helps to keep our local countdown in check with the true timeout.
                         if (lastServerTimeoutSet != null) {
                             var now = new Date();
                             var seconds = (now.getTime() - lastServerTimeoutSet.getTime()) / 1000;
 
-                            if (seconds > 30) {
+                            if (seconds > 20) {
 
                                 //first we'll set the lastServerTimeoutSet to null - this is so we don't get back in to this loop while we
                                 // wait for a response from the server otherwise we'll be making double/triple/etc... calls while we wait.
@@ -95,18 +100,23 @@ angular.module('umbraco.services')
                         if (Umbraco.Sys.ServerVariables.umbracoSettings.keepUserLoggedIn !== true) {
                             //NOTE: the safeApply because our timeout is set to not run digests (performance reasons)
                             angularHelper.safeApply($rootScope, function () {
-                                try {
-                                    //NOTE: We are calling this again so that the server can create a log that the timeout has expired, we
-                                    // don't actually care about this result.
-                                    authResource.getRemainingTimeoutSeconds();
-                                }
-                                finally {
-                                    userAuthExpired();
-                                }
+                                //NOTE: We are calling this again so that the server can create a log that the timeout has expired
+                                //and we will show the login screen as close to the server's timout time as possible
+                                authResource.getRemainingTimeoutSeconds().then(function (result) {
+                                    setUserTimeoutInternal(result);
+
+                                    //the client auth can expire a second earlier as the client internal clock is behind
+                                    if (result < 1) {
+                                        userAuthExpired();
+                                    }
+                                });
                             });
+
+                            //recurse the countdown!
+                            countdownUserTimeout();
                         }
                         else {
-                            //we've got less than 30 seconds remaining so let's check the server
+                            //we've got less than 20 seconds remaining so let's check the server
 
                             if (lastServerTimeoutSet != null) {
                                 //first we'll set the lastServerTimeoutSet to null - this is so we don't get back in to this loop while we
@@ -155,6 +165,7 @@ angular.module('umbraco.services')
 
             lastServerTimeoutSet = null;
             currentUser = null;
+            countdownCounter = null;
 
             openLoginDialog(isLogout === undefined ? true : !isLogout);
         }

src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umb-image-preview.html

@@ -1,6 +1,6 @@
 <div class="umb-image-preview" ng-controller="umbImagePreviewController as controller">
     <img class="umb-image-preview--image" ng-if="vm.clientSide" ng-init="previewUrl = controller.getClientSideUrl(vm.clientSideData)" ng-src="{{previewUrl}}" alt="{{vm.name}}" />
-    <a ng-if="!vm.clientSide" href="#" ng-href="{{vm.source}}" target="_blank" rel="noopener">
+    <a ng-if="!vm.clientSide" href="" ng-attr-href="{{vm.extension !== 'svg' ? vm.source : undefined}}" ng-click="vm.extension === 'svg' && controller.openSVG(vm.source)" target="_blank" rel="noopener">
         <img class="umb-image-preview--image" ng-init="previewUrl = controller.getThumbnail(vm.source)" ng-src="{{previewUrl}}" alt="{{vm.name}}" />
     </a>
 </div>

src/Umbraco.Web.UI.Client/src/views/components/media/umbimagepreview/umbimagepreview.controller.js

@@ -1,18 +1,16 @@
-
-
-
-
 angular.module("umbraco")
-    .controller("umbImagePreviewController",
-        function (mediaHelper) {
+  .controller("umbImagePreviewController",
+    function (mediaHelper) {
+
+      var vm = this;
 
-            var vm = this;
+      vm.getThumbnail = function (source) {
+        return mediaHelper.getThumbnailFromPath(source) || source;
+      }
 
-            vm.getThumbnail = function(source) {
-                return mediaHelper.getThumbnailFromPath(source) || source;
-            }
-            vm.getClientSideUrl = function(sourceData) {
-                return URL.createObjectURL(sourceData);
-            }
+      vm.getClientSideUrl = function (sourceData) {
+        return URL.createObjectURL(sourceData);
+      }
 
-        });
+      vm.openSVG = (source) => mediaHelper.openSVG(source);
+    });