Media: Add protection to restrict access to media in recycle bin (closes #2931)

[AndyButland]

Prerequisites

• I have added steps to test this contribution in the description below

Addresses #2931

Description

This PR attempts to address the long standing issue of media files that are associated with media items in the recycle bin being accessible.

There are a couple of prerequisites as part of the PR:

• Adding a MoveFile method to IFileSystem and the various implementations, including a default for any third-party implementations that won't have yet implemented it.
• Making https://kjac.dev/posts/using-umb_ucontext-with-umbraco-14-plus/ a thing provided by Umbraco, given we need it ourselves for part of the functionality of this feature.

Then the implementation itself includes:

• A configuration option to switch the feature on. Avoids breaking behavioural changes, and means it's an optional feature people can turn on if they are concerned with the current behaviour. We could make it the default in a future major.

  "Umbraco": {
    "CMS": {
      "Imaging": {
        "EnableMediaRecycleBinProtection": true

• Whenever media is trashed and moved to the recycle bin, any associated files will get a .deleted suffix - so media/xxx/test.png becomes media/xxx/test.deleted.png.
• Whenever media is restored from the recycle bin, the .deleted suffix is removed.
  • These two features require the MoveFile implementation on IFileSystem.
• A management API mapping change is made such that when image cropper files are rendered for preview in the backoffice as part of a media item property, the .deleted suffix will be added in they are being viewed in the recycle bin.
• A middleware is applied that will check for requests to media files with the the .deleted suffix and only allow access if there is a backoffice user logged in who has access to the "Media" section.
  • This middleware requires the technique described in Kenn's blog post linked above, as IBackOfficeUserAccessor always fails to find the current backoffice user in this context.

Testing

With the code from this PR in place, verify that, with Umbraco:Cms:Imaging:EnableMediaRecycleBinProtection set to true.

• A trashed media file is renamed to have a .deleted suffix.
• When restored it's renamed back.
• The trashed media file is still visible when viewed on the media item in the recycle bin.
• A direct link to the media file on a media item in the recycle bin is rejected when you aren't in the backoffice.

To Do

• Handle children of trashed items, not just the specific items trashed.
• Test with Azure blob storage provider.
• Raise issue with Azure blob storage provider to implement IFileSystem.MoveFile.
• Update documentation for configuration and cookie details.

[Copilot]

Pull Request Overview

This PR implements media recycle bin protection to restrict access to media files when they are moved to the recycle bin. The feature adds security by renaming trashed media files with a .deleted suffix and provides middleware to control access to these protected files.

• Adds new EnableMediaRecycleBinProtection configuration setting in ImagingSettings
• Implements file renaming functionality when media is moved to/from recycle bin
• Introduces middleware protection requiring authentication for trashed media access

Reviewed Changes

Copilot reviewed 28 out of 28 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/Umbraco.Core/Configuration/Models/ImagingSettings.cs	Adds EnableMediaRecycleBinProtection configuration property
src/Umbraco.Core/Constants-Conventions.cs	Defines .deleted suffix constant for trashed media files
src/Umbraco.Core/IO/MediaFileManager.cs	Implements suffix/remove suffix operations for media files
src/Umbraco.Core/IO/IFileSystem.cs	Adds MoveFile method to interface with default implementation
src/Umbraco.Web.Common/Middleware/ProtectRecycleBinMediaMiddleware.cs	New middleware to authenticate access to protected media files
src/Umbraco.Infrastructure/PropertyEditors/NotificationHandlers/FileUploadContentDeletedNotificationHandler.cs	Handles file operations when media is moved to/from recycle bin
src/Umbraco.Web.UI.Client/src/packages/media/media/property-editors/image-cropper/property-editor-ui-image-cropper.element.ts	Updates frontend to handle protected media file paths
Multiple test files	Adds test coverage for new file system operations