Merge branch 'v13/dev' into v14/dev

# Conflicts:
#	Directory.Packages.props
#	build/azure-pipelines.yml
#	src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs
#	src/Umbraco.Cms.Persistence.EFCore/Locking/SqlServerEFCoreDistributedLockingMechanism.cs
#	src/Umbraco.Core/Configuration/Models/RichTextEditorSettings.cs
#	src/Umbraco.Core/EmbeddedResources/Lang/da.xml
#	src/Umbraco.Core/EmbeddedResources/Lang/en.xml
#	src/Umbraco.Core/EmbeddedResources/Lang/en_us.xml
#	src/Umbraco.Core/Services/ContentService.cs
#	src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandler.cs
#	src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsResourceHandler.cs
#	src/Umbraco.Web.BackOffice/Controllers/ContentController.cs
#	src/Umbraco.Web.BackOffice/Controllers/ExamineManagementController.cs
#	src/Umbraco.Web.BackOffice/Controllers/MediaController.cs
#	src/Umbraco.Web.BackOffice/Trees/StaticFilesTreeController.cs
#	src/Umbraco.Web.UI.Client/package-lock.json
#	src/Umbraco.Web.UI.Client/package.json
#	src/Umbraco.Web.UI.Client/src/common/directives/components/buttons/umbbuttongroup.directive.js
#	src/Umbraco.Web.UI.Client/src/common/directives/components/content/edit.controller.js
#	src/Umbraco.Web.UI.Client/src/common/filters/simpleMarkdown.filter.js
#	src/Umbraco.Web.UI.Client/src/common/filters/simpleMarkdown.filter.js.js
#	src/Umbraco.Web.UI.Client/src/common/services/tinymce.service.js
#	src/Umbraco.Web.UI.Client/src/less/components/umb-group-builder.less
#	src/Umbraco.Web.UI.Client/src/views/common/infiniteeditors/mediaentryeditor/mediaentryeditor.less
#	src/Umbraco.Web.UI.Client/src/views/common/infiniteeditors/propertysettings/propertysettings.html
#	src/Umbraco.Web.UI.Client/src/views/common/overlays/ysod/ysod.controller.js
#	src/Umbraco.Web.UI.Client/src/views/common/overlays/ysod/ysod.html
#	src/Umbraco.Web.UI.Client/src/views/components/buttons/umb-button-group.html
#	src/Umbraco.Web.UI.Client/src/views/content/overlays/sendtopublish.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/blockgrid/prevalue/blockgrid.blockconfiguration.overlay.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/blockgrid/prevalue/blockgrid.blockconfiguration.overlay.html
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/blocklist/prevalue/blocklist.blockconfiguration.overlay.controller.js
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/blocklist/prevalue/blocklist.blockconfiguration.overlay.html
#	src/Umbraco.Web.UI.Client/src/views/propertyeditors/rte/rte.component.js
#	src/Umbraco.Web.UI.Client~HEAD
#	src/Umbraco.Web.UI.Login/package-lock.json
#	src/Umbraco.Web.UI.Login/package.json
#	tests/Umbraco.Tests.AcceptanceTest/tests/DefaultConfig/BlockGridEditor/Content/blockGridEditorContent.spec.ts
#	tests/Umbraco.Tests.Integration/Umbraco.Infrastructure/Services/ContentServiceNotificationTests.cs
#	tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Controllers/ContentControllerTests.cs
#	tools/Umbraco.JsonSchema/UmbracoCmsSchema.cs
#	version.json

Author: Migaroez

Directory.Packages.props

@@ -12,25 +12,25 @@
   </ItemGroup>
   <!-- Microsoft packages -->
   <ItemGroup>
-    <PackageVersion Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.8" />
-    <PackageVersion Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="8.0.8" />
+    <PackageVersion Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="8.0.11" />
+    <PackageVersion Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="8.0.11" />
     <PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="4.10.0" />
-    <PackageVersion Include="Microsoft.Data.Sqlite" Version="8.0.8" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="8.0.8" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.8" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.8" />
+    <PackageVersion Include="Microsoft.Data.Sqlite" Version="8.0.11" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="8.0.11" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.11" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.11" />
     <PackageVersion Include="Microsoft.Extensions.Caching.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Json" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.FileProviders.Embedded" Version="8.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
+    <PackageVersion Include="Microsoft.Extensions.FileProviders.Embedded" Version="8.0.11" />
     <PackageVersion Include="Microsoft.Extensions.FileProviders.Physical" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Identity.Core" Version="8.0.8" />
-    <PackageVersion Include="Microsoft.Extensions.Identity.Stores" Version="8.0.8" />
-    <PackageVersion Include="Microsoft.Extensions.Logging" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.1" />
+    <PackageVersion Include="Microsoft.Extensions.Identity.Core" Version="8.0.11" />
+    <PackageVersion Include="Microsoft.Extensions.Identity.Stores" Version="8.0.11" />
+    <PackageVersion Include="Microsoft.Extensions.Logging" Version="8.0.1" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="8.0.2" />
     <PackageVersion Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Options.DataAnnotations" Version="8.0.0" />
@@ -45,14 +45,14 @@
     <PackageVersion Include="Asp.Versioning.Mvc" Version="8.1.0" />
     <PackageVersion Include="Asp.Versioning.Mvc.ApiExplorer" Version="8.1.0" />
     <PackageVersion Include="Dazinator.Extensions.FileProviders" Version="2.0.0" />
-    <PackageVersion Include="Examine" Version="3.3.0" />
-    <PackageVersion Include="Examine.Core" Version="3.3.0" />
-    <PackageVersion Include="HtmlAgilityPack" Version="1.11.65" />
+    <PackageVersion Include="Examine" Version="3.5.0" />
+    <PackageVersion Include="Examine.Core" Version="3.5.0" />
+    <PackageVersion Include="HtmlAgilityPack" Version="1.11.71" />
     <PackageVersion Include="JsonPatch.Net" Version="3.1.1" />
     <PackageVersion Include="K4os.Compression.LZ4" Version="1.3.8" />
-    <PackageVersion Include="MailKit" Version="4.7.1.1" />
+    <PackageVersion Include="MailKit" Version="4.8.0" />
     <PackageVersion Include="Markdown" Version="2.2.1" />
-    <PackageVersion Include="MessagePack" Version="2.5.187" />
+    <PackageVersion Include="MessagePack" Version="2.5.192" />
     <PackageVersion Include="MiniProfiler.AspNetCore.Mvc" Version="4.3.8" />
     <PackageVersion Include="MiniProfiler.Shared" Version="4.3.8" />
     <PackageVersion Include="ncrontab" Version="3.3.3" />
@@ -62,32 +62,34 @@
     <PackageVersion Include="OpenIddict.AspNetCore" Version="5.7.0" />
     <PackageVersion Include="OpenIddict.EntityFrameworkCore" Version="5.7.0" />
     <PackageVersion Include="Serilog" Version="3.1.1" />
-    <PackageVersion Include="Serilog.AspNetCore" Version="8.0.2" />
+    <PackageVersion Include="Serilog.AspNetCore" Version="8.0.3" />
     <PackageVersion Include="Serilog.Enrichers.Process" Version="2.0.2" />
     <PackageVersion Include="Serilog.Enrichers.Thread" Version="3.1.0" />
     <PackageVersion Include="Serilog.Expressions" Version="4.0.0" />
     <PackageVersion Include="Serilog.Extensions.Hosting" Version="8.0.0" />
     <PackageVersion Include="Serilog.Formatting.Compact" Version="2.0.0" />
     <PackageVersion Include="Serilog.Formatting.Compact.Reader" Version="3.0.0" />
-    <PackageVersion Include="Serilog.Settings.Configuration" Version="8.0.2" />
+    <PackageVersion Include="Serilog.Settings.Configuration" Version="8.0.4" />
     <PackageVersion Include="Serilog.Sinks.Async" Version="1.5.0" />
     <PackageVersion Include="Serilog.Sinks.File" Version="5.0.0" />
     <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
-    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.5" />
+    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.6" />
     <PackageVersion Include="SixLabors.ImageSharp.Web" Version="3.1.3" />
-    <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.7.3" />
+    <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.9.0" />
   </ItemGroup>
   <!-- Transitive pinned versions (only required because our direct dependencies have vulnerable versions of transitive dependencies) -->
   <ItemGroup>
     <!-- Both Microsoft.EntityFrameworkCore.SqlServer and NPoco.SqlServer bring in a vulnerable version of Azure.Identity -->
-    <PackageVersion Include="Azure.Identity" Version="1.12.0" />
+    <PackageVersion Include="Azure.Identity" Version="1.13.1" />
     <!-- Dazinator.Extensions.FileProviders brings in a vulnerable version of System.Net.Http -->
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
     <!-- Examine brings in a vulnerable version of System.Security.Cryptography.Xml -->
-    <PackageVersion Include="System.Security.Cryptography.Xml" Version="8.0.1" />
+    <PackageVersion Include="System.Security.Cryptography.Xml" Version="8.0.2" />
     <!-- Both Dazinator.Extensions.FileProviders and MiniProfiler.AspNetCore.Mvc bring in a vulnerable version of System.Text.RegularExpressions -->
     <PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
     <!-- Both OpenIddict.AspNetCore, Npoco.SqlServer and Microsoft.EntityFrameworkCore.SqlServer bring in a vulnerable version of Microsoft.IdentityModel.JsonWebTokens -->
     <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.7.1" />
+    <!-- Examine.Lucene bring in a vulnerable version of Lucene.Net.Replicator -->
+    <PackageVersion Include="Lucene.Net.Replicator" Version="4.8.0-beta00017" />
   </ItemGroup>
 </Project>

src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs

@@ -46,7 +46,9 @@ private static void ConfigureOpenIddict(IUmbracoBuilder builder)
                         Paths.BackOfficeApi.LogoutEndpoint.TrimStart(Constants.CharArrays.ForwardSlash))
                     .SetRevocationEndpointUris(
                         Paths.MemberApi.RevokeEndpoint.TrimStart(Constants.CharArrays.ForwardSlash),
-                        Paths.BackOfficeApi.RevokeEndpoint.TrimStart(Constants.CharArrays.ForwardSlash));
+                        Paths.BackOfficeApi.RevokeEndpoint.TrimStart(Constants.CharArrays.ForwardSlash))
+                    .SetUserinfoEndpointUris(
+                        Paths.MemberApi.UserinfoEndpoint.TrimStart(Constants.CharArrays.ForwardSlash));
 
                 // Enable authorization code flow with PKCE
                 options
@@ -58,7 +60,8 @@ private static void ConfigureOpenIddict(IUmbracoBuilder builder)
                 options
                     .UseAspNetCore()
                     .EnableAuthorizationEndpointPassthrough()
-                    .EnableLogoutEndpointPassthrough();
+                    .EnableLogoutEndpointPassthrough()
+                    .EnableUserinfoEndpointPassthrough();
 
                 // Enable reference tokens
                 // - see https://documentation.openiddict.com/configuration/token-storage.html

src/Umbraco.Cms.Api.Common/Security/Paths.cs

@@ -31,6 +31,8 @@ public static class MemberApi
 
         public static readonly string RevokeEndpoint = EndpointPath($"{EndpointTemplate}/revoke");
 
+        public static readonly string UserinfoEndpoint = EndpointPath($"{EndpointTemplate}/userinfo");
+
         // NOTE: we're NOT using /api/v1.0/ here because it will clash with the Delivery API docs
         private static string EndpointPath(string relativePath) => $"/umbraco/delivery/api/v1/{relativePath}";
     }

src/Umbraco.Cms.Api.Delivery/Controllers/Content/ContentApiControllerBase.cs

@@ -15,6 +15,7 @@ namespace Umbraco.Cms.Api.Delivery.Controllers.Content;
 [ApiExplorerSettings(GroupName = "Content")]
 [LocalizeFromAcceptLanguageHeader]
 [ValidateStartItem]
+[AddVaryHeader]
 [OutputCache(PolicyName = Constants.DeliveryApi.OutputCache.ContentCachePolicy)]
 public abstract class ContentApiControllerBase : DeliveryApiControllerBase
 {

src/Umbraco.Cms.Api.Delivery/Controllers/Security/CurrentMemberController.cs

@@ -0,0 +1,28 @@
+using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using OpenIddict.Server.AspNetCore;
+using Umbraco.Cms.Api.Delivery.Routing;
+using Umbraco.Cms.Api.Delivery.Services;
+
+namespace Umbraco.Cms.Api.Delivery.Controllers.Security;
+
+[ApiVersion("1.0")]
+[ApiController]
+[VersionedDeliveryApiRoute(Common.Security.Paths.MemberApi.EndpointTemplate)]
+[ApiExplorerSettings(IgnoreApi = true)]
+[Authorize(AuthenticationSchemes = OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)]
+public class CurrentMemberController : DeliveryApiControllerBase
+{
+    private readonly ICurrentMemberClaimsProvider _currentMemberClaimsProvider;
+
+    public CurrentMemberController(ICurrentMemberClaimsProvider currentMemberClaimsProvider)
+        => _currentMemberClaimsProvider = currentMemberClaimsProvider;
+
+    [HttpGet("userinfo")]
+    public async Task<IActionResult> Userinfo()
+    {
+        Dictionary<string, object> claims = await _currentMemberClaimsProvider.GetClaimsAsync();
+        return Ok(claims);
+    }
+}

src/Umbraco.Cms.Api.Delivery/DependencyInjection/UmbracoBuilderExtensions.cs

@@ -60,6 +60,7 @@ public static IUmbracoBuilder AddDeliveryApi(this IUmbracoBuilder builder)
         builder.Services.AddSingleton<IApiMediaQueryService, ApiMediaQueryService>();
         builder.Services.AddTransient<IMemberApplicationManager, MemberApplicationManager>();
         builder.Services.AddTransient<IRequestMemberAccessService, RequestMemberAccessService>();
+        builder.Services.AddTransient<ICurrentMemberClaimsProvider, CurrentMemberClaimsProvider>();
 
         builder.Services.ConfigureOptions<ConfigureUmbracoDeliveryApiSwaggerGenOptions>();
         builder.AddUmbracoApiOpenApiUI();

src/Umbraco.Cms.Api.Delivery/Filters/AddVaryHeaderAttribute.cs

@@ -0,0 +1,13 @@
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace Umbraco.Cms.Api.Delivery.Filters;
+
+public sealed class AddVaryHeaderAttribute : ActionFilterAttribute
+{
+    private const string Vary = "Accept-Language, Preview, Start-Item";
+
+    public override void OnResultExecuting(ResultExecutingContext context)
+        => context.HttpContext.Response.Headers.Vary = context.HttpContext.Response.Headers.Vary.Count > 0
+            ? $"{context.HttpContext.Response.Headers.Vary}, {Vary}"
+            : Vary;
+}

src/Umbraco.Cms.Api.Delivery/Querying/Filters/ContentTypeFilter.cs

@@ -1,6 +1,5 @@
 using Umbraco.Cms.Api.Delivery.Indexing.Filters;
 using Umbraco.Cms.Core.DeliveryApi;
-using Umbraco.Extensions;
 
 namespace Umbraco.Cms.Api.Delivery.Querying.Filters;
 
@@ -15,15 +14,15 @@ public bool CanHandle(string query)
     /// <inheritdoc/>
     public FilterOption BuildFilterOption(string filter)
     {
-        var alias = filter.Substring(ContentTypeSpecifier.Length);
+        var filterValue = filter.Substring(ContentTypeSpecifier.Length);
+        var negate = filterValue.StartsWith('!');
+        var aliases = filterValue.TrimStart('!').Split(',', StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries);
 
         return new FilterOption
         {
             FieldName = ContentTypeFilterIndexer.FieldName,
-            Values = alias.IsNullOrWhiteSpace() == false
-                ? new[] { alias.TrimStart('!') }
-                : Array.Empty<string>(),
-            Operator = alias.StartsWith('!')
+            Values = aliases,
+            Operator = negate
                 ? FilterOperation.IsNot
                 : FilterOperation.Is
         };

src/Umbraco.Cms.Api.Delivery/Querying/Selectors/AncestorsSelector.cs

@@ -1,5 +1,7 @@
+using Microsoft.Extensions.DependencyInjection;
 using Umbraco.Cms.Api.Delivery.Indexing.Selectors;
 using Umbraco.Cms.Core.DeliveryApi;
+using Umbraco.Cms.Core.DependencyInjection;
 using Umbraco.Cms.Core.Models.PublishedContent;
 using Umbraco.Cms.Core.PublishedCache;
 using Umbraco.Extensions;
@@ -10,10 +12,22 @@ public sealed class AncestorsSelector : QueryOptionBase, ISelectorHandler
 {
     private const string AncestorsSpecifier = "ancestors:";
     private readonly IPublishedSnapshotAccessor _publishedSnapshotAccessor;
+    private readonly IRequestPreviewService _requestPreviewService;
 
-    public AncestorsSelector(IPublishedSnapshotAccessor publishedSnapshotAccessor, IRequestRoutingService requestRoutingService)
-        : base(publishedSnapshotAccessor, requestRoutingService) =>
+    [Obsolete("Please use the non-obsolete constructor. Will be removed in V17.")]
+    public AncestorsSelector(
+        IPublishedSnapshotAccessor publishedSnapshotAccessor,
+        IRequestRoutingService requestRoutingService)
+        : this(publishedSnapshotAccessor, requestRoutingService, StaticServiceProvider.Instance.GetRequiredService<IRequestPreviewService>())
+    {
+    }
+
+    public AncestorsSelector(IPublishedSnapshotAccessor publishedSnapshotAccessor, IRequestRoutingService requestRoutingService, IRequestPreviewService requestPreviewService)
+        : base(publishedSnapshotAccessor, requestRoutingService)
+    {
         _publishedSnapshotAccessor = publishedSnapshotAccessor;
+        _requestPreviewService = requestPreviewService;
+    }
 
     /// <inheritdoc />
     public bool CanHandle(string query)
@@ -37,10 +51,20 @@ public SelectorOption BuildSelectorOption(string selector)
             };
         }
 
-        IPublishedSnapshot publishedSnapshot = _publishedSnapshotAccessor.GetRequiredPublishedSnapshot();
+        IPublishedContentCache contentCache = _publishedSnapshotAccessor.GetRequiredPublishedSnapshot()?.Content
+                                         ?? throw new InvalidOperationException("Could not obtain the content cache");
+
+        IPublishedContent? contentItem = contentCache.GetById(_requestPreviewService.IsPreview(), id.Value);
 
-        IPublishedContent contentItem = publishedSnapshot.Content?.GetById((Guid)id)
-                                        ?? throw new InvalidOperationException("Could not obtain the content cache");
+        if (contentItem is null)
+        {
+            // no such content item, make sure the selector does not yield any results
+            return new SelectorOption
+            {
+                FieldName = AncestorsSelectorIndexer.FieldName,
+                Values = Array.Empty<string>()
+            };
+        }
 
         var ancestorKeys = contentItem.Ancestors().Select(a => a.Key.ToString("D")).ToArray();
 

src/Umbraco.Cms.Api.Delivery/Services/CurrentMemberClaimsProvider.cs

@@ -0,0 +1,43 @@
+using OpenIddict.Abstractions;
+using Umbraco.Cms.Core.Security;
+
+namespace Umbraco.Cms.Api.Delivery.Services;
+
+// NOTE: this is public and unsealed to allow overriding the default claims with minimal effort.
+public class CurrentMemberClaimsProvider : ICurrentMemberClaimsProvider
+{
+    private readonly IMemberManager _memberManager;
+
+    public CurrentMemberClaimsProvider(IMemberManager memberManager)
+        => _memberManager = memberManager;
+
+    public virtual async Task<Dictionary<string, object>> GetClaimsAsync()
+    {
+        MemberIdentityUser? memberIdentityUser = await _memberManager.GetCurrentMemberAsync();
+        return memberIdentityUser is not null
+            ? await GetClaimsForMemberIdentityAsync(memberIdentityUser)
+            : throw new InvalidOperationException("Could not retrieve the current member. This method should only ever be invoked when a member has been authorized.");
+    }
+
+    protected virtual async Task<Dictionary<string, object>> GetClaimsForMemberIdentityAsync(MemberIdentityUser memberIdentityUser)
+    {
+        var claims = new Dictionary<string, object>
+        {
+            [OpenIddictConstants.Claims.Subject] = memberIdentityUser.Key
+        };
+
+        if (memberIdentityUser.Name is not null)
+        {
+            claims[OpenIddictConstants.Claims.Name] = memberIdentityUser.Name;
+        }
+
+        if (memberIdentityUser.Email is not null)
+        {
+            claims[OpenIddictConstants.Claims.Email] = memberIdentityUser.Email;
+        }
+
+        claims[OpenIddictConstants.Claims.Role] = await _memberManager.GetRolesAsync(memberIdentityUser);
+
+        return claims;
+    }
+}