Performance: Optimize property retrieval and authorization checks in collection views (closes #21367)

src/Umbraco.Core/Persistence/Repositories/IContentRepository.cs

@@ -73,6 +73,7 @@ public interface IContentRepository<in TId, TEntity> : IReadWriteQueryRepository
     ///     Gets paged content items.
     /// </summary>
     /// <remarks>Here, <paramref name="filter" /> can be null but <paramref name="ordering" /> cannot.</remarks>
+    [Obsolete("Please use the method overload with all parameters. Scheduled for removal in Umbraco 19.")]
     IEnumerable<TEntity> GetPage(
         IQuery<TEntity>? query,
         long pageIndex,
@@ -81,5 +82,34 @@ IEnumerable<TEntity> GetPage(
         IQuery<TEntity>? filter,
         Ordering? ordering);
 
+    /// <summary>
+    ///     Gets paged content items.
+    /// </summary>
+    /// <param name="query">The base query for content items.</param>
+    /// <param name="pageIndex">The page index (zero-based).</param>
+    /// <param name="pageSize">The number of items per page.</param>
+    /// <param name="totalRecords">Output parameter with total record count.</param>
+    /// <param name="propertyAliases">
+    ///     Optional array of property aliases to load. If null, all properties are loaded.
+    ///     If empty array, no custom properties are loaded (only system properties).
+    /// </param>
+    /// <param name="filter">Optional filter query.</param>
+    /// <param name="ordering">The ordering specification.</param>
+    /// <param name="loadTemplates">
+    ///     Whether to load templates. Set to false for performance optimization when templates are not needed
+    ///     (e.g., collection views). Default is true. Only applies to Document content; ignored for Media/Member.
+    /// </param>
+    /// <returns>A collection of content items for the specified page.</returns>
+    /// <remarks>Here, <paramref name="filter" /> can be null but <paramref name="ordering" /> cannot.</remarks>
+    IEnumerable<TEntity> GetPage(
+        IQuery<TEntity>? query,
+        long pageIndex,
+        int pageSize,
+        out long totalRecords,
+        string[]? propertyAliases,
+        IQuery<TEntity>? filter,
+        Ordering? ordering,
+        bool loadTemplates = true);
+
     ContentDataIntegrityReport CheckDataIntegrity(ContentDataIntegrityReportOptions options);
 }

src/Umbraco.Core/Security/Authorization/ContentPermissionAuthorizer.cs

@@ -73,4 +73,11 @@ public async Task<bool> IsDeniedForCultures(IUser currentUser, ISet<string> cult
         // If we can't find the content item(s) then we can't determine whether you are denied access.
         return result is not (ContentAuthorizationStatus.Success or ContentAuthorizationStatus.NotFound);
     }
+
+    /// <inheritdoc/>
+    public async Task<ISet<Guid>> FilterAuthorizedAsync(
+        IUser currentUser,
+        IEnumerable<Guid> contentKeys,
+        ISet<string> permissionsToCheck) =>
+        await _contentPermissionService.FilterAuthorizedAccessAsync(currentUser, contentKeys, permissionsToCheck);
 }

src/Umbraco.Core/Security/Authorization/IContentPermissionAuthorizer.cs

@@ -81,4 +81,15 @@ Task<bool> IsDeniedAtRecycleBinLevelAsync(IUser currentUser, string permissionTo
     Task<bool> IsDeniedAtRecycleBinLevelAsync(IUser currentUser, ISet<string> permissionsToCheck);
 
     Task<bool> IsDeniedForCultures(IUser currentUser, ISet<string> culturesToCheck);
+
+    /// <summary>
+    ///     Filters the specified content keys to only those the user has access to.
+    /// </summary>
+    /// <param name="currentUser">The current user.</param>
+    /// <param name="contentKeys">The keys of the content items to filter.</param>
+    /// <param name="permissionsToCheck">The collection of permissions to authorize.</param>
+    /// <returns>Returns the keys of content items the user has access to.</returns>
+    // TODO (V18): Remove default implementation.
+    Task<ISet<Guid>> FilterAuthorizedAsync(IUser currentUser, IEnumerable<Guid> contentKeys, ISet<string> permissionsToCheck)
+        => Task.FromResult<ISet<Guid>>(new HashSet<Guid>());
 }

src/Umbraco.Core/Security/Authorization/IMediaPermissionAuthorizer.cs

@@ -38,4 +38,14 @@ Task<bool> IsDeniedAsync(IUser currentUser, Guid mediaKey)
     /// <param name="currentUser">The current user.</param>
     /// <returns>Returns <c>true</c> if authorization is successful, otherwise <c>false</c>.</returns>
     Task<bool> IsDeniedAtRecycleBinLevelAsync(IUser currentUser);
+
+    /// <summary>
+    ///     Filters the specified media keys to only those the user has access to.
+    /// </summary>
+    /// <param name="currentUser">The current user.</param>
+    /// <param name="mediaKeys">The keys of the media items to filter.</param>
+    /// <returns>Returns the keys of media items the user has access to.</returns>
+    // TODO (V18): Remove default implementation.
+    Task<ISet<Guid>> FilterAuthorizedAsync(IUser currentUser, IEnumerable<Guid> mediaKeys)
+        => Task.FromResult<ISet<Guid>>(new HashSet<Guid>());
 }

src/Umbraco.Core/Security/Authorization/MediaPermissionAuthorizer.cs

@@ -44,4 +44,8 @@ public async Task<bool> IsDeniedAtRecycleBinLevelAsync(IUser currentUser)
         // If we can't find the media item(s) then we can't determine whether you are denied access.
         return result is not (MediaAuthorizationStatus.Success or MediaAuthorizationStatus.NotFound);
     }
+
+    /// <inheritdoc/>
+    public async Task<ISet<Guid>> FilterAuthorizedAsync(IUser currentUser, IEnumerable<Guid> mediaKeys) =>
+        await _mediaPermissionService.FilterAuthorizedAccessAsync(currentUser, mediaKeys);
 }

src/Umbraco.Core/Services/ContentEditingService.cs

@@ -345,7 +345,7 @@ protected override IContent New(string? name, int parentId, IContentType content
     protected override OperationResult? Delete(IContent content, int userId) => ContentService.Delete(content, userId);
 
     protected override IEnumerable<IContent> GetPagedChildren(int parentId, int pageIndex, int pageSize, out long total)
-        => ContentService.GetPagedChildren(parentId, pageIndex, pageSize, out total);
+        => ContentService.GetPagedChildren(parentId, pageIndex, pageSize, out total, propertyAliases: null, filter: null, ordering: null);
 
     protected override ContentEditingOperationStatus Sort(IEnumerable<IContent> items, int userId)
     {

src/Umbraco.Core/Services/ContentPermissionService.cs

@@ -1,8 +1,8 @@
-using System.Globalization;
 using Umbraco.Cms.Core.Cache;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Models.Entities;
 using Umbraco.Cms.Core.Models.Membership;
+using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services.AuthorizationStatus;
 using Umbraco.Extensions;
 
@@ -37,19 +37,38 @@
         IEnumerable<Guid> contentKeys,
         ISet<string> permissionsToCheck)
     {
-        var contentItems = _contentService.GetByIds(contentKeys).ToArray();
+        Guid[] keysArray = contentKeys.ToArray();
 
-        if (contentItems.Length == 0)
+        if (keysArray.Length == 0)
+        {
+            return Task.FromResult(ContentAuthorizationStatus.Success);
+        }
+
+        // Use GetAllPaths instead of loading full content items - we only need paths for authorization
+        TreeEntityPath[] entityPaths = _entityService.GetAllPaths(UmbracoObjectTypes.Document, keysArray).ToArray();
+
+        if (entityPaths.Length == 0)
         {
             return Task.FromResult(ContentAuthorizationStatus.NotFound);
         }
 
-        if (contentItems.Any(contentItem => user.HasPathAccess(contentItem, _entityService, _appCaches) == false))
+        // Check if all requested keys were found
+        if (entityPaths.Length != keysArray.Length)
         {
-            return Task.FromResult(ContentAuthorizationStatus.UnauthorizedMissingPathAccess);
+            return Task.FromResult(ContentAuthorizationStatus.NotFound);
+        }
+
+        // Check path access using the paths directly
+        int[]? startNodeIds = user.CalculateContentStartNodeIds(_entityService, _appCaches);
+        foreach (TreeEntityPath entityPath in entityPaths)
+        {
+            if (ContentPermissions.HasPathAccess(entityPath.Path, startNodeIds, Constants.System.RecycleBinContent) == false)
+            {
+                return Task.FromResult(ContentAuthorizationStatus.UnauthorizedMissingPathAccess);
+            }
         }
 
-        return Task.FromResult(HasPermissionAccess(user, contentItems.Select(c => c.Path), permissionsToCheck)
+        return Task.FromResult(HasPermissionAccess(user, entityPaths.Select(p => p.Path), permissionsToCheck)
             ? ContentAuthorizationStatus.Success
             : ContentAuthorizationStatus.UnauthorizedMissingPermissionAccess);
     }
@@ -150,6 +169,54 @@
             : ContentAuthorizationStatus.UnauthorizedMissingCulture;
     }
 
+    /// <inheritdoc/>
+    public Task<ISet<Guid>> FilterAuthorizedAccessAsync(
+        IUser user,
+        IEnumerable<Guid> contentKeys,
+        ISet<string> permissionsToCheck)
+    {
+        Guid[] keysArray = [.. contentKeys];
+
+        if (keysArray.Length == 0)
+        {
+            return Task.FromResult<ISet<Guid>>(new HashSet<Guid>());
+        }
+
+        // Retrieve paths in a a single database query for all keys.
+        TreeEntityPath[] entityPaths = [.. _entityService.GetAllPaths(UmbracoObjectTypes.Document, keysArray)];
+
+        if (entityPaths.Length == 0)
+        {
+            return Task.FromResult<ISet<Guid>>(new HashSet<Guid>());
+        }
+
+        var authorizedKeys = new HashSet<Guid>();
+        int[]? startNodeIds = user.CalculateContentStartNodeIds(_entityService, _appCaches);
+
+        foreach (TreeEntityPath entityPath in entityPaths)
+        {
+            // Check path access
+            if (ContentPermissions.HasPathAccess(entityPath.Path, startNodeIds, Constants.System.RecycleBinContent) == false)
+            {
+                continue;
+            }
+
+            // Check permission access
+            EntityPermissionSet permissionSet = _userService.GetPermissionsForPath(user, entityPath.Path);
+            if (permissionsToCheck.All(p => permissionSet.GetAllPermissions().Contains(p)))
+            {
+                // Get the key for this entity's ID
+                Attempt<Guid> keyAttempt = _entityService.GetKey(entityPath.Id, UmbracoObjectTypes.Document);
+                if (keyAttempt.Success)
+                {
+                    authorizedKeys.Add(keyAttempt.Result);
+                }
+            }
+        }
+
+        return Task.FromResult<ISet<Guid>>(authorizedKeys);
+    }
+
     /// <summary>
     ///     Check the implicit/inherited permissions of a user for given content items.
     /// </summary>

src/Umbraco.Core/Services/ContentService.cs

@@ -1,4 +1,4 @@
 using System.Collections.Immutable;
 using System.Diagnostics.CodeAnalysis;
 using System.Runtime.InteropServices;
 using Microsoft.Extensions.DependencyInjection;
@@ -840,7 +840,12 @@
     }
 
     /// <inheritdoc />
+    [Obsolete("Please use the method overload with all parameters. Scheduled for removal in Umbraco 19.")]
     public IEnumerable<IContent> GetPagedChildren(int id, long pageIndex, int pageSize, out long totalChildren, IQuery<IContent>? filter = null, Ordering? ordering = null)
+        => GetPagedChildren(id, pageIndex, pageSize, out totalChildren, propertyAliases: null, filter: filter, ordering: ordering);
+
+    /// <inheritdoc />
+    public IEnumerable<IContent> GetPagedChildren(int id, long pageIndex, int pageSize, out long totalChildren, string[]? propertyAliases, IQuery<IContent>? filter, Ordering? ordering, bool loadTemplates = true)
     {
         if (pageIndex < 0)
         {
@@ -859,7 +864,7 @@
             scope.ReadLock(Constants.Locks.ContentTree);
 
             IQuery<IContent>? query = Query<IContent>()?.Where(x => x.ParentId == id);
-            return _documentRepository.GetPage(query, pageIndex, pageSize, out totalChildren, filter, ordering);
+            return _documentRepository.GetPage(query, pageIndex, pageSize, out totalChildren, propertyAliases, filter, ordering, loadTemplates);
         }
     }
 
@@ -918,7 +923,7 @@
             throw new ArgumentNullException(nameof(ordering));
         }
 
-        return _documentRepository.GetPage(query, pageIndex, pageSize, out totalChildren, filter, ordering);
+        return _documentRepository.GetPage(query, pageIndex, pageSize, out totalChildren, propertyAliases: null, filter, ordering);
     }
 
     /// <summary>
@@ -1009,7 +1014,7 @@
             scope.ReadLock(Constants.Locks.ContentTree);
             IQuery<IContent>? query = Query<IContent>()?
                 .Where(x => x.Path.StartsWith(Constants.System.RecycleBinContentPathPrefix));
-            return _documentRepository.GetPage(query, pageIndex, pageSize, out totalRecords, filter, ordering);
+            return _documentRepository.GetPage(query, pageIndex, pageSize, out totalRecords, propertyAliases: null, filter, ordering);
         }
     }
 

src/Umbraco.Core/Services/EntityXmlSerializer.cs

@@ -88,7 +88,7 @@ public XElement Serialize(
             while (page * pageSize < total)
             {
                 IEnumerable<IContent> children =
-                    _contentService.GetPagedChildren(content.Id, page++, pageSize, out total);
+                    _contentService.GetPagedChildren(content.Id, page++, pageSize, out total, propertyAliases: null, filter: null, ordering: null);
                 SerializeChildren(children, xml, published);
             }
         }
@@ -678,7 +678,7 @@ private void SerializeChildren(IEnumerable<IContent> children, XElement xml, boo
             while (page * pageSize < total)
             {
                 IEnumerable<IContent> grandChildren =
-                    _contentService.GetPagedChildren(child.Id, page++, pageSize, out total);
+                    _contentService.GetPagedChildren(child.Id, page++, pageSize, out total, propertyAliases: null, filter: null, ordering: null);
 
                 // recurse
                 SerializeChildren(grandChildren, childXml, published);

src/Umbraco.Core/Services/IContentPermissionService.cs

@@ -88,4 +88,15 @@ Task<ContentAuthorizationStatus> AuthorizeBinAccessAsync(IUser user, string perm
     /// <param name="culturesToCheck">The collection of cultures to authorize.</param>
     /// <returns>A task resolving into a <see cref="ContentAuthorizationStatus"/>.</returns>
     Task<ContentAuthorizationStatus> AuthorizeCultureAccessAsync(IUser user, ISet<string> culturesToCheck);
+
+    /// <summary>
+    ///     Filters content keys to only those the user has access to.
+    /// </summary>
+    /// <param name="user"><see cref="IUser" /> to authorize.</param>
+    /// <param name="contentKeys">The identifiers of the content items to filter.</param>
+    /// <param name="permissionsToCheck">The collection of permissions to authorize.</param>
+    /// <returns>A task resolving into the set of authorized content keys.</returns>
+    // TODO (V18): Remove default implementation.
+    Task<ISet<Guid>> FilterAuthorizedAccessAsync(IUser user, IEnumerable<Guid> contentKeys, ISet<string> permissionsToCheck)
+        => Task.FromResult<ISet<Guid>>(new HashSet<Guid>());
 }

src/Umbraco.Core/Services/IContentSearchService{TContent}.cs

@@ -1,14 +1,56 @@
-using Umbraco.Cms.Core.Models;
+using Umbraco.Cms.Core.Models;
 
 namespace Umbraco.Cms.Core.Services;
 
+/// <summary>
+/// Defines methods for searching and retrieving child content items of a specified parent, with support for filtering,
+/// ordering, and paging.
+/// </summary>
+/// <typeparam name="TContent">The type of content item to search for. Must implement <see cref="IContentBase"/>.</typeparam>
 public interface IContentSearchService<TContent>
     where TContent : class, IContentBase
 {
+    /// <summary>
+    ///     Searches for children of a content item.
+    /// </summary>
+    /// <param name="query">The search query.</param>
+    /// <param name="parentId">The parent content item key.</param>
+    /// <param name="ordering">The ordering.</param>
+    /// <param name="skip">The number of items to skip.</param>
+    /// <param name="take">The number of items to take.</param>
+    /// <returns>A paged model of content items.</returns>
+    [Obsolete("Please use the method overload with all parameters. Scheduled for removal in Umbraco 19.")]
     Task<PagedModel<TContent>> SearchChildrenAsync(
         string? query,
         Guid? parentId,
         Ordering? ordering,
         int skip = 0,
+        int take = 100)
+        => SearchChildrenAsync(query, parentId, propertyAliases: null, ordering: ordering, skip: skip, take: take);
+
+    /// <summary>
+    ///     Searches for children of a content item with optional property filtering.
+    /// </summary>
+    /// <param name="query">The search query.</param>
+    /// <param name="parentId">The parent content item key.</param>
+    /// <param name="propertyAliases">
+    ///     The property aliases to load. If null, all properties are loaded.
+    ///     If empty array, no custom properties are loaded.
+    /// </param>
+    /// <param name="ordering">The ordering.</param>
+    /// <param name="loadTemplates">
+    ///     Whether to load templates. Set to false for performance optimization when templates are not needed
+    ///     (e.g., collection views). Default is true. Only applies to Document content; ignored for Media/Member.
+    /// </param>
+    /// <param name="skip">The number of items to skip.</param>
+    /// <param name="take">The number of items to take.</param>
+    /// <returns>A paged model of content items.</returns>
+    Task<PagedModel<TContent>> SearchChildrenAsync(
+        string? query,
+        Guid? parentId,
+        string[]? propertyAliases,
+        Ordering? ordering,
+        bool loadTemplates = true,
+        int skip = 0,
         int take = 100);
 }

src/Umbraco.Core/Services/IContentService.cs

@@ -272,8 +272,28 @@ IContent CreateBlueprintFromContent(IContent blueprint, string name, int userId
     /// <param name="totalRecords">Total number of documents.</param>
     /// <param name="filter">Query filter.</param>
     /// <param name="ordering">Ordering infos.</param>
+    [Obsolete("Please use the method overload with all parameters. Scheduled for removal in Umbraco 19.")]
     IEnumerable<IContent> GetPagedChildren(int id, long pageIndex, int pageSize, out long totalRecords, IQuery<IContent>? filter = null, Ordering? ordering = null);
 
+    /// <summary>
+    ///     Gets child documents of a parent with optional property filtering.
+    /// </summary>
+    /// <param name="id">The parent identifier.</param>
+    /// <param name="pageIndex">The page number.</param>
+    /// <param name="pageSize">The page size.</param>
+    /// <param name="totalRecords">Total number of documents.</param>
+    /// <param name="propertyAliases">
+    ///     The property aliases to load. If null, all properties are loaded.
+    ///     If empty array, no custom properties are loaded.
+    /// </param>
+    /// <param name="filter">Query filter.</param>
+    /// <param name="ordering">Ordering infos.</param>
+    /// <param name="loadTemplates">
+    ///     Whether to load templates. Set to false for performance optimization when templates are not needed
+    ///     (e.g., collection views). Default is true.
+    /// </param>
+    IEnumerable<IContent> GetPagedChildren(int id, long pageIndex, int pageSize, out long totalRecords, string[]? propertyAliases, IQuery<IContent>? filter, Ordering? ordering, bool loadTemplates = true);
+
     /// <summary>
     ///     Gets descendant documents of a given parent.
     /// </summary>

src/Umbraco.Core/Services/IMediaPermissionService.cs

@@ -39,4 +39,14 @@ Task<MediaAuthorizationStatus> AuthorizeAccessAsync(IUser user, Guid mediaKey)
     /// <param name="user"><see cref="IUser" /> to authorize.</param>
     /// <returns>A task resolving into a <see cref="MediaAuthorizationStatus"/>.</returns>
     Task<MediaAuthorizationStatus> AuthorizeBinAccessAsync(IUser user);
+
+    /// <summary>
+    ///     Filters media keys to only those the user has access to.
+    /// </summary>
+    /// <param name="user"><see cref="IUser" /> to authorize.</param>
+    /// <param name="mediaKeys">The identifiers of the media items to filter.</param>
+    /// <returns>A task resolving into the set of authorized media keys.</returns>
+    // TODO (V18): Remove default implementation.
+    Task<ISet<Guid>> FilterAuthorizedAccessAsync(IUser user, IEnumerable<Guid> mediaKeys)
+        => Task.FromResult<ISet<Guid>>(new HashSet<Guid>());
 }