From 6358ad20ff92987ddbb1015ecb67a48753e98495 Mon Sep 17 00:00:00 2001 From: Louis DeJardin Date: Wed, 15 Dec 2010 21:54:25 -0800 Subject: [PATCH 1/5] Adjusting permission names which weren't clear from the spec --HG-- branch : 1.x --- src/Orchard.Specs/Bindings/ContentRights.cs | 6 ++-- src/Orchard.Specs/ContentRights.feature | 6 ++-- src/Orchard.Specs/ContentRights.feature.cs | 6 ++-- .../Contents/Controllers/AdminController.cs | 22 +++++++------- .../Contents/Controllers/ItemController.cs | 2 +- .../Core/Contents/DynamicPermissions.cs | 12 ++++---- src/Orchard.Web/Core/Contents/Permissions.cs | 30 ++++++++++++------- .../Security/AuthorizationEventHandler.cs | 6 ++-- .../Views/Content.ControlWrapper.cshtml | 2 +- .../Services/ArchiveLaterService.cs | 2 +- ...ization.ContentTranslations.Summary.cshtml | 2 +- ...on.ContentTranslations.SummaryAdmin.cshtml | 2 +- .../Services/PublishLaterService.cs | 2 +- 13 files changed, 54 insertions(+), 46 deletions(-) diff --git a/src/Orchard.Specs/Bindings/ContentRights.cs b/src/Orchard.Specs/Bindings/ContentRights.cs index 837659ad2..9d47cc7d6 100644 --- a/src/Orchard.Specs/Bindings/ContentRights.cs +++ b/src/Orchard.Specs/Bindings/ContentRights.cs @@ -59,11 +59,11 @@ namespace Orchard.Specs.Bindings { private static Permission GetPermissionForAction(string action) { switch ( action ) { case "publish": - return Permissions.PublishOthersContent; + return Permissions.PublishContent; case "edit": - return Permissions.EditOthersContent; + return Permissions.EditContent; case "delete": - return Permissions.DeleteOthersContent; + return Permissions.DeleteContent; default: return null; } diff --git a/src/Orchard.Specs/ContentRights.feature b/src/Orchard.Specs/ContentRights.feature index b431535cf..b4bd77f9b 100644 --- a/src/Orchard.Specs/ContentRights.feature +++ b/src/Orchard.Specs/ContentRights.feature @@ -11,7 +11,7 @@ Scenario: Administrators can manage a Page Scenario: Users can't create a Page if they don't have the PublishContent permission Given I have installed Orchard - When I have a role "CustomRole" with permissions "EditOthersContent, DeleteOthersContent" + When I have a role "CustomRole" with permissions "EditContent, DeleteContent" And I have a user "user1" with roles "CustomRole" Then "user1" should not be able to "publish" a "Page" owned by "user1" And "user1" should be able to "edit" a "Page" owned by "user1" @@ -19,7 +19,7 @@ Scenario: Users can't create a Page if they don't have the PublishContent permis Scenario: Users can create a Page of others if they have PublishContent permission Given I have installed Orchard - When I have a role "CustomRole" with permissions "PublishOthersContent" + When I have a role "CustomRole" with permissions "PublishContent" And I have a user "user1" with roles "CustomRole" And I have a user "user2" with roles "Administrator" Then "user1" should be able to "publish" a "Page" owned by "user2" @@ -44,7 +44,7 @@ Scenario: Users can create and edit a Page even if they only have the PublishOwn Scenario: Users can't edit a Page if they don't have the EditContent permission Given I have installed Orchard - When I have a role "CustomRole" with permissions "DeleteOthersContent" + When I have a role "CustomRole" with permissions "DeleteContent" And I have a user "user1" with roles "CustomRole" Then "user1" should not be able to "publish" a "Page" owned by "user1" And "user1" should not be able to "edit" a "Page" owned by "user1" diff --git a/src/Orchard.Specs/ContentRights.feature.cs b/src/Orchard.Specs/ContentRights.feature.cs index 62be6baa1..425353fd5 100644 --- a/src/Orchard.Specs/ContentRights.feature.cs +++ b/src/Orchard.Specs/ContentRights.feature.cs @@ -82,7 +82,7 @@ this.ScenarioSetup(scenarioInfo); #line 13 testRunner.Given("I have installed Orchard"); #line 14 - testRunner.When("I have a role \"CustomRole\" with permissions \"EditOthersContent, DeleteOthersConte" + + testRunner.When("I have a role \"CustomRole\" with permissions \"EditContent, DeleteConte" + "nt\""); #line 15 testRunner.And("I have a user \"user1\" with roles \"CustomRole\""); @@ -106,7 +106,7 @@ this.ScenarioSetup(scenarioInfo); #line 21 testRunner.Given("I have installed Orchard"); #line 22 - testRunner.When("I have a role \"CustomRole\" with permissions \"PublishOthersContent\""); + testRunner.When("I have a role \"CustomRole\" with permissions \"PublishContent\""); #line 23 testRunner.And("I have a user \"user1\" with roles \"CustomRole\""); #line 24 @@ -179,7 +179,7 @@ this.ScenarioSetup(scenarioInfo); #line 46 testRunner.Given("I have installed Orchard"); #line 47 - testRunner.When("I have a role \"CustomRole\" with permissions \"DeleteOthersContent\""); + testRunner.When("I have a role \"CustomRole\" with permissions \"DeleteContent\""); #line 48 testRunner.And("I have a user \"user1\" with roles \"CustomRole\""); #line 49 diff --git a/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs b/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs index 13a69af8d..e2a09b931 100644 --- a/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs +++ b/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs @@ -138,7 +138,7 @@ namespace Orchard.Core.Contents.Controllers { break; case ContentsBulkAction.PublishNow: foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) { - if (!accessChecked && !Services.Authorizer.Authorize(Permissions.PublishOthersContent, item, T("Couldn't publish selected content."))) + if (!accessChecked && !Services.Authorizer.Authorize(Permissions.PublishContent, item, T("Couldn't publish selected content."))) return new HttpUnauthorizedResult(); accessChecked = true; @@ -149,7 +149,7 @@ namespace Orchard.Core.Contents.Controllers { break; case ContentsBulkAction.Unpublish: foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) { - if (!accessChecked && !Services.Authorizer.Authorize(Permissions.PublishOthersContent, item, T("Couldn't unpublish selected content."))) + if (!accessChecked && !Services.Authorizer.Authorize(Permissions.PublishContent, item, T("Couldn't unpublish selected content."))) return new HttpUnauthorizedResult(); accessChecked = true; @@ -160,7 +160,7 @@ namespace Orchard.Core.Contents.Controllers { break; case ContentsBulkAction.Remove: foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) { - if (!accessChecked && !Services.Authorizer.Authorize(Permissions.DeleteOthersContent, item, T("Couldn't remove selected content."))) + if (!accessChecked && !Services.Authorizer.Authorize(Permissions.DeleteContent, item, T("Couldn't remove selected content."))) return new HttpUnauthorizedResult(); accessChecked = true; @@ -190,7 +190,7 @@ namespace Orchard.Core.Contents.Controllers { var contentItem = _contentManager.New(id); - if (!Services.Authorizer.Authorize(Permissions.PublishOthersContent, contentItem, T("Cannot create content"))) + if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Cannot create content"))) return new HttpUnauthorizedResult(); dynamic model = _contentManager.BuildEditor(contentItem); @@ -219,7 +219,7 @@ namespace Orchard.Core.Contents.Controllers { private ActionResult CreatePOST(string id, Action conditionallyPublish) { var contentItem = _contentManager.New(id); - if (!Services.Authorizer.Authorize(Permissions.PublishOthersContent, contentItem, T("Couldn't create content"))) + if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Couldn't create content"))) return new HttpUnauthorizedResult(); _contentManager.Create(contentItem, VersionOptions.Draft); @@ -245,7 +245,7 @@ namespace Orchard.Core.Contents.Controllers { if (contentItem == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.EditOthersContent, contentItem, T("Cannot edit content"))) + if (!Services.Authorizer.Authorize(Permissions.EditContent, contentItem, T("Cannot edit content"))) return new HttpUnauthorizedResult(); dynamic model = _contentManager.BuildEditor(contentItem); @@ -270,7 +270,7 @@ namespace Orchard.Core.Contents.Controllers { if (content == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.PublishOthersContent, content, T("Couldn't publish content"))) + if (!Services.Authorizer.Authorize(Permissions.PublishContent, content, T("Couldn't publish content"))) return new HttpUnauthorizedResult(); return EditPOST(id, returnUrl, contentItem => _contentManager.Publish(contentItem)); @@ -282,7 +282,7 @@ namespace Orchard.Core.Contents.Controllers { if (contentItem == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.EditOthersContent, contentItem, T("Couldn't edit content"))) + if (!Services.Authorizer.Authorize(Permissions.EditContent, contentItem, T("Couldn't edit content"))) return new HttpUnauthorizedResult(); dynamic model = _contentManager.UpdateEditor(contentItem, this); @@ -304,7 +304,7 @@ namespace Orchard.Core.Contents.Controllers { public ActionResult Remove(int id, string returnUrl) { var contentItem = _contentManager.Get(id, VersionOptions.Latest); - if (!Services.Authorizer.Authorize(Permissions.DeleteOthersContent, contentItem, T("Couldn't remove content"))) + if (!Services.Authorizer.Authorize(Permissions.DeleteContent, contentItem, T("Couldn't remove content"))) return new HttpUnauthorizedResult(); if (contentItem != null) { @@ -323,7 +323,7 @@ namespace Orchard.Core.Contents.Controllers { if (contentItem == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.PublishOthersContent, contentItem, T("Couldn't publish content"))) + if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Couldn't publish content"))) return new HttpUnauthorizedResult(); _contentManager.Publish(contentItem); @@ -339,7 +339,7 @@ namespace Orchard.Core.Contents.Controllers { if (contentItem == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.PublishOthersContent, contentItem, T("Couldn't unpublish content"))) + if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Couldn't unpublish content"))) return new HttpUnauthorizedResult(); _contentManager.Unpublish(contentItem); diff --git a/src/Orchard.Web/Core/Contents/Controllers/ItemController.cs b/src/Orchard.Web/Core/Contents/Controllers/ItemController.cs index 429e84833..12b8334a3 100644 --- a/src/Orchard.Web/Core/Contents/Controllers/ItemController.cs +++ b/src/Orchard.Web/Core/Contents/Controllers/ItemController.cs @@ -37,7 +37,7 @@ namespace Orchard.Core.Contents.Controllers { var contentItem = _contentManager.Get(id, versionOptions); - if (!Services.Authorizer.Authorize(Permissions.EditOthersContent, contentItem, T("Cannot edit content"))) + if (!Services.Authorizer.Authorize(Permissions.EditContent, contentItem, T("Cannot edit content"))) return new HttpUnauthorizedResult(); dynamic model = _contentManager.BuildDisplay(contentItem); diff --git a/src/Orchard.Web/Core/Contents/DynamicPermissions.cs b/src/Orchard.Web/Core/Contents/DynamicPermissions.cs index 41ab490f7..b1f42d39f 100644 --- a/src/Orchard.Web/Core/Contents/DynamicPermissions.cs +++ b/src/Orchard.Web/Core/Contents/DynamicPermissions.cs @@ -9,19 +9,19 @@ using Orchard.Security.Permissions; namespace Orchard.Core.Contents { public class DynamicPermissions : IPermissionProvider { - private static readonly Permission PublishContent = new Permission { Description = "Publish or unpublish {0} for others", Name = "Publish_{0}", ImpliedBy = new[] { Permissions.PublishOthersContent } }; + private static readonly Permission PublishContent = new Permission { Description = "Publish or unpublish {0} for others", Name = "Publish_{0}", ImpliedBy = new[] { Permissions.PublishContent } }; private static readonly Permission PublishOwnContent = new Permission { Description = "Publish or unpublish {0}", Name = "PublishOwn_{0}", ImpliedBy = new[] { PublishContent, Permissions.PublishOwnContent } }; - private static readonly Permission EditContent = new Permission { Description = "Edit {0} for others", Name = "Edit_{0}", ImpliedBy = new[] { PublishContent, Permissions.PublishOthersContent } }; + private static readonly Permission EditContent = new Permission { Description = "Edit {0} for others", Name = "Edit_{0}", ImpliedBy = new[] { PublishContent, Permissions.PublishContent } }; private static readonly Permission EditOwnContent = new Permission { Description = "Edit {0}", Name = "EditOwn_{0}", ImpliedBy = new[] { EditContent, PublishOwnContent, Permissions.EditOwnContent } }; - private static readonly Permission DeleteContent = new Permission { Description = "Delete {0} for others", Name = "Delete_{0}", ImpliedBy = new[] { Permissions.DeleteOthersContent } }; + private static readonly Permission DeleteContent = new Permission { Description = "Delete {0} for others", Name = "Delete_{0}", ImpliedBy = new[] { Permissions.DeleteContent } }; private static readonly Permission DeleteOwnContent = new Permission { Description = "Delete {0}", Name = "DeleteOwn_{0}", ImpliedBy = new[] { DeleteContent, Permissions.DeleteOwnContent } }; public static readonly Dictionary PermissionTemplates = new Dictionary { - {Permissions.PublishOthersContent.Name, PublishContent}, + {Permissions.PublishContent.Name, PublishContent}, {Permissions.PublishOwnContent.Name, PublishOwnContent}, - {Permissions.EditOthersContent.Name, EditContent}, + {Permissions.EditContent.Name, EditContent}, {Permissions.EditOwnContent.Name, EditOwnContent}, - {Permissions.DeleteOthersContent.Name, DeleteContent}, + {Permissions.DeleteContent.Name, DeleteContent}, {Permissions.DeleteOwnContent.Name, DeleteOwnContent} }; diff --git a/src/Orchard.Web/Core/Contents/Permissions.cs b/src/Orchard.Web/Core/Contents/Permissions.cs index 139ba1cad..2c1cdac1e 100644 --- a/src/Orchard.Web/Core/Contents/Permissions.cs +++ b/src/Orchard.Web/Core/Contents/Permissions.cs @@ -4,12 +4,20 @@ using Orchard.Security.Permissions; namespace Orchard.Core.Contents { public class Permissions : IPermissionProvider { - public static readonly Permission PublishOthersContent = new Permission { Description = "Publish or unpublish content for others", Name = "PublishOthersContent" }; - public static readonly Permission PublishOwnContent = new Permission { Description = "Publish or unpublish own content", Name = "PublishOwnContent", ImpliedBy = new[] { PublishOthersContent } }; - public static readonly Permission EditOthersContent = new Permission { Description = "Edit content for others", Name = "EditOthersContent", ImpliedBy = new[] { PublishOthersContent } }; - public static readonly Permission EditOwnContent = new Permission { Description = "Edit own content", Name = "EditOwnContent", ImpliedBy = new[] { EditOthersContent, PublishOwnContent } }; - public static readonly Permission DeleteOthersContent = new Permission { Description = "Delete content for others", Name = "DeleteOthersContent" }; - public static readonly Permission DeleteOwnContent = new Permission { Description = "Delete own content", Name = "DeleteOwnContent", ImpliedBy = new[] { DeleteOthersContent } }; + + // Note - in code you should demand PublishContent, EditContent, or DeleteContent + // Do not demand the "Own" variation - those are applied automatically when you demand the main three + + // Also - the internal name EditContent is used instead of EditOthersContent + // because demanding "EditContent" is correct and looks right, + // but demanding "EditOthersContent" looks wrong so wasn't used when it should have been + + public static readonly Permission PublishContent = new Permission { Description = "Publish or unpublish content for others", Name = "PublishContent" }; + public static readonly Permission PublishOwnContent = new Permission { Description = "Publish or unpublish own content", Name = "PublishOwnContent", ImpliedBy = new[] { PublishContent } }; + public static readonly Permission EditContent = new Permission { Description = "Edit content for others", Name = "EditContent", ImpliedBy = new[] { PublishContent } }; + public static readonly Permission EditOwnContent = new Permission { Description = "Edit own content", Name = "EditOwnContent", ImpliedBy = new[] { EditContent, PublishOwnContent } }; + public static readonly Permission DeleteContent = new Permission { Description = "Delete content for others", Name = "DeleteContent" }; + public static readonly Permission DeleteOwnContent = new Permission { Description = "Delete own content", Name = "DeleteOwnContent", ImpliedBy = new[] { DeleteContent } }; public static readonly Permission MetaListContent = new Permission { ImpliedBy = new[] { EditOwnContent, PublishOwnContent, DeleteOwnContent } }; @@ -18,11 +26,11 @@ namespace Orchard.Core.Contents { public IEnumerable GetPermissions() { return new [] { EditOwnContent, - EditOthersContent, + EditContent, PublishOwnContent, - PublishOthersContent, + PublishContent, DeleteOwnContent, - DeleteOthersContent, + DeleteContent, }; } @@ -30,11 +38,11 @@ namespace Orchard.Core.Contents { return new[] { new PermissionStereotype { Name = "Administrator", - Permissions = new[] {PublishOthersContent,EditOthersContent,DeleteOthersContent} + Permissions = new[] {PublishContent,EditContent,DeleteContent} }, new PermissionStereotype { Name = "Editor", - Permissions = new[] {PublishOthersContent,EditOthersContent,DeleteOthersContent} + Permissions = new[] {PublishContent,EditContent,DeleteContent} }, new PermissionStereotype { Name = "Moderator", diff --git a/src/Orchard.Web/Core/Contents/Security/AuthorizationEventHandler.cs b/src/Orchard.Web/Core/Contents/Security/AuthorizationEventHandler.cs index af03f52eb..187fbde3f 100644 --- a/src/Orchard.Web/Core/Contents/Security/AuthorizationEventHandler.cs +++ b/src/Orchard.Web/Core/Contents/Security/AuthorizationEventHandler.cs @@ -54,11 +54,11 @@ namespace Orchard.Core.Contents.Security } private static Permission GetOwnerVariation(Permission permission) { - if (permission.Name == Permissions.PublishOthersContent.Name) + if (permission.Name == Permissions.PublishContent.Name) return Permissions.PublishOwnContent; - if (permission.Name == Permissions.EditOthersContent.Name) + if (permission.Name == Permissions.EditContent.Name) return Permissions.EditOwnContent; - if (permission.Name == Permissions.DeleteOthersContent.Name) + if (permission.Name == Permissions.DeleteContent.Name) return Permissions.DeleteOwnContent; return null; } diff --git a/src/Orchard.Web/Core/Contents/Views/Content.ControlWrapper.cshtml b/src/Orchard.Web/Core/Contents/Views/Content.ControlWrapper.cshtml index ae070a131..c34821b5b 100644 --- a/src/Orchard.Web/Core/Contents/Views/Content.ControlWrapper.cshtml +++ b/src/Orchard.Web/Core/Contents/Views/Content.ControlWrapper.cshtml @@ -1,6 +1,6 @@ @using Orchard.ContentManagement; @using Orchard.Core.Contents; -@if (AuthorizedFor(Permissions.EditOthersContent)) { +@if (AuthorizedFor(Permissions.EditContent)) {
@Html.ItemEditLinkWithReturnUrl(T("Edit").Text, (ContentItem)Model.ContentItem)
@Display(Model.Child) diff --git a/src/Orchard.Web/Modules/Orchard.ArchiveLater/Services/ArchiveLaterService.cs b/src/Orchard.Web/Modules/Orchard.ArchiveLater/Services/ArchiveLaterService.cs index 3cc1a7b54..ef55b7f2e 100644 --- a/src/Orchard.Web/Modules/Orchard.ArchiveLater/Services/ArchiveLaterService.cs +++ b/src/Orchard.Web/Modules/Orchard.ArchiveLater/Services/ArchiveLaterService.cs @@ -24,7 +24,7 @@ namespace Orchard.ArchiveLater.Services { public Localizer T { get; set; } void IArchiveLaterService.ArchiveLater(ContentItem contentItem, DateTime scheduledArchiveUtc) { - if (!Services.Authorizer.Authorize(Permissions.PublishOthersContent, contentItem, T("Couldn't archive selected content."))) + if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Couldn't archive selected content."))) return; RemoveArchiveLaterTasks(contentItem); diff --git a/src/Orchard.Web/Modules/Orchard.Localization/Views/Parts/Localization.ContentTranslations.Summary.cshtml b/src/Orchard.Web/Modules/Orchard.Localization/Views/Parts/Localization.ContentTranslations.Summary.cshtml index 2b6cb48f0..e11e22c17 100644 --- a/src/Orchard.Web/Modules/Orchard.Localization/Views/Parts/Localization.ContentTranslations.Summary.cshtml +++ b/src/Orchard.Web/Modules/Orchard.Localization/Views/Parts/Localization.ContentTranslations.Summary.cshtml @@ -1,6 +1,6 @@ @using Orchard.Core.Contents; @using Orchard.Localization.Models; -@if (AuthorizedFor(Permissions.PublishOthersContent)) { +@if (AuthorizedFor(Permissions.PublishContent)) { Style.Require("LocalizationAdmin"); IEnumerable localizations = Model.Localizations; var localizationLinks = Html.UnorderedList(localizations, (c, i) => Html.ItemEditLink(c.Culture.Culture, c), "localizations"); diff --git a/src/Orchard.Web/Modules/Orchard.Localization/Views/Parts/Localization.ContentTranslations.SummaryAdmin.cshtml b/src/Orchard.Web/Modules/Orchard.Localization/Views/Parts/Localization.ContentTranslations.SummaryAdmin.cshtml index c5e2fd5f2..ed47211d7 100644 --- a/src/Orchard.Web/Modules/Orchard.Localization/Views/Parts/Localization.ContentTranslations.SummaryAdmin.cshtml +++ b/src/Orchard.Web/Modules/Orchard.Localization/Views/Parts/Localization.ContentTranslations.SummaryAdmin.cshtml @@ -1,6 +1,6 @@ @using Orchard.Core.Contents; @using Orchard.Localization.Models; -@if (AuthorizedFor(Permissions.PublishOthersContent)) { +@if (AuthorizedFor(Permissions.PublishContent)) { Style.Require("LocalizationAdmin"); IEnumerable localizations = Model.Localizations; var localizationLinks = Html.UnorderedList(localizations, (c, i) => Html.ItemEditLink(c.Culture.Culture, c), "localizations"); diff --git a/src/Orchard.Web/Modules/Orchard.PublishLater/Services/PublishLaterService.cs b/src/Orchard.Web/Modules/Orchard.PublishLater/Services/PublishLaterService.cs index f0e650a74..94a69b005 100644 --- a/src/Orchard.Web/Modules/Orchard.PublishLater/Services/PublishLaterService.cs +++ b/src/Orchard.Web/Modules/Orchard.PublishLater/Services/PublishLaterService.cs @@ -21,7 +21,7 @@ namespace Orchard.PublishLater.Services { public Localizer T { get; set; } void IPublishLaterService.Publish(ContentItem contentItem, DateTime scheduledPublishUtc) { - if (!Services.Authorizer.Authorize(Permissions.PublishOthersContent, contentItem, T("Couldn't publish selected content."))) + if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Couldn't publish selected content."))) return; _publishingTaskManager.Publish(contentItem, scheduledPublishUtc); From 49ef5a44a7b3cd3439d8efdd435b0738c0d0bc82 Mon Sep 17 00:00:00 2001 From: Louis DeJardin Date: Wed, 15 Dec 2010 22:02:06 -0800 Subject: [PATCH 2/5] Removing the term Others from Blogs module permissions (for consistency with Contents module) --HG-- branch : 1.x --- .../Controllers/BlogPostAdminController.cs | 16 +++++++------- .../Modules/Orchard.Blogs/Permissions.cs | 22 +++++++++---------- .../Security/BlogAuthorizationEventHandler.cs | 6 ++--- .../Orchard.Blogs/Services/XmlRpcHandler.cs | 6 ++--- 4 files changed, 25 insertions(+), 25 deletions(-) diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs index 2022dd933..556a3c151 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs @@ -95,7 +95,7 @@ namespace Orchard.Blogs.Controllers { if (post == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, post, T("Couldn't edit blog post"))) + if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, post, T("Couldn't edit blog post"))) return new HttpUnauthorizedResult(); dynamic model = Services.ContentManager.BuildEditor(post); @@ -124,7 +124,7 @@ namespace Orchard.Blogs.Controllers { if (blogPost == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, blogPost, T("Couldn't publish blog post"))) + if (!Services.Authorizer.Authorize(Permissions.PublishBlogPost, blogPost, T("Couldn't publish blog post"))) return new HttpUnauthorizedResult(); return EditPOST(blogId, postId, returnUrl, contentItem => Services.ContentManager.Publish(contentItem)); @@ -140,7 +140,7 @@ namespace Orchard.Blogs.Controllers { if (blogPost == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, blogPost, T("Couldn't edit blog post"))) + if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, blogPost, T("Couldn't edit blog post"))) return new HttpUnauthorizedResult(); // Validate form input @@ -167,7 +167,7 @@ namespace Orchard.Blogs.Controllers { } // check edit permission - if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, draft, T("Couldn't discard blog post draft"))) + if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, draft, T("Couldn't discard blog post draft"))) return new HttpUnauthorizedResult(); // locate the published revision to revert onto @@ -198,7 +198,7 @@ namespace Orchard.Blogs.Controllers { [ValidateAntiForgeryTokenOrchard] public ActionResult Delete(int blogId, int postId) { - //refactoring: test PublishBlogPost/PublishOthersBlogPost in addition if published + //refactoring: test PublishBlogPost/PublishBlogPost in addition if published var blog = _blogService.Get(blogId, VersionOptions.Latest); if (blog == null) @@ -208,7 +208,7 @@ namespace Orchard.Blogs.Controllers { if (post == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.DeleteOthersBlogPost, post, T("Couldn't delete blog post"))) + if (!Services.Authorizer.Authorize(Permissions.DeleteBlogPost, post, T("Couldn't delete blog post"))) return new HttpUnauthorizedResult(); _blogPostService.Delete(post); @@ -227,7 +227,7 @@ namespace Orchard.Blogs.Controllers { if (post == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, post, T("Couldn't publish blog post"))) + if (!Services.Authorizer.Authorize(Permissions.PublishBlogPost, post, T("Couldn't publish blog post"))) return new HttpUnauthorizedResult(); _blogPostService.Publish(post); @@ -246,7 +246,7 @@ namespace Orchard.Blogs.Controllers { if (post == null) return HttpNotFound(); - if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, post, T("Couldn't unpublish blog post"))) + if (!Services.Authorizer.Authorize(Permissions.PublishBlogPost, post, T("Couldn't unpublish blog post"))) return new HttpUnauthorizedResult(); _blogPostService.Unpublish(post); diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs index 3c4b790d8..e4a346ce8 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs @@ -6,14 +6,14 @@ namespace Orchard.Blogs { public class Permissions : IPermissionProvider { public static readonly Permission ManageBlogs = new Permission { Description = "Manage blogs", Name = "ManageBlogs" }; - public static readonly Permission PublishOthersBlogPost = new Permission { Description = "Publish or unpublish blog post for others", Name = "PublishOthersBlogPost", ImpliedBy = new[] { ManageBlogs } }; - public static readonly Permission PublishOwnBlogPost = new Permission { Description = "Publish or unpublish own blog post", Name = "PublishOwnBlogPost", ImpliedBy = new[] { PublishOthersBlogPost } }; - public static readonly Permission EditOthersBlogPost = new Permission { Description = "Edit any blog posts", Name = "EditOthersBlogPost", ImpliedBy = new[] { PublishOthersBlogPost } }; - public static readonly Permission EditOwnBlogPost = new Permission { Description = "Edit own blog posts", Name = "EditOwnBlogPost", ImpliedBy = new[] { EditOthersBlogPost, PublishOwnBlogPost } }; - public static readonly Permission DeleteOthersBlogPost = new Permission { Description = "Delete blog post for others", Name = "DeleteOthersBlogPost", ImpliedBy = new[] { ManageBlogs } }; - public static readonly Permission DeleteOwnBlogPost = new Permission { Description = "Delete own blog post", Name = "DeleteOwnBlogPost", ImpliedBy = new[] { DeleteOthersBlogPost } }; + public static readonly Permission PublishBlogPost = new Permission { Description = "Publish or unpublish blog post for others", Name = "PublishBlogPost", ImpliedBy = new[] { ManageBlogs } }; + public static readonly Permission PublishOwnBlogPost = new Permission { Description = "Publish or unpublish own blog post", Name = "PublishOwnBlogPost", ImpliedBy = new[] { PublishBlogPost } }; + public static readonly Permission EditBlogPost = new Permission { Description = "Edit any blog posts", Name = "EditBlogPost", ImpliedBy = new[] { PublishBlogPost } }; + public static readonly Permission EditOwnBlogPost = new Permission { Description = "Edit own blog posts", Name = "EditOwnBlogPost", ImpliedBy = new[] { EditBlogPost, PublishOwnBlogPost } }; + public static readonly Permission DeleteBlogPost = new Permission { Description = "Delete blog post for others", Name = "DeleteBlogPost", ImpliedBy = new[] { ManageBlogs } }; + public static readonly Permission DeleteOwnBlogPost = new Permission { Description = "Delete own blog post", Name = "DeleteOwnBlogPost", ImpliedBy = new[] { DeleteBlogPost } }; - public static readonly Permission MetaListOthersBlogs = new Permission { ImpliedBy = new[] { EditOthersBlogPost, PublishOthersBlogPost, DeleteOthersBlogPost } }; + public static readonly Permission MetaListOthersBlogs = new Permission { ImpliedBy = new[] { EditBlogPost, PublishBlogPost, DeleteBlogPost } }; public static readonly Permission MetaListOwnBlogs = new Permission { ImpliedBy = new[] { EditOwnBlogPost, PublishOwnBlogPost, DeleteOwnBlogPost } }; public virtual Feature Feature { get; set; } @@ -22,11 +22,11 @@ namespace Orchard.Blogs { return new[] { ManageBlogs, EditOwnBlogPost, - EditOthersBlogPost, + EditBlogPost, PublishOwnBlogPost, - PublishOthersBlogPost, + PublishBlogPost, DeleteOwnBlogPost, - DeleteOthersBlogPost, + DeleteBlogPost, }; } @@ -38,7 +38,7 @@ namespace Orchard.Blogs { }, new PermissionStereotype { Name = "Editor", - Permissions = new[] {PublishOthersBlogPost,EditOthersBlogPost,DeleteOthersBlogPost} + Permissions = new[] {PublishBlogPost,EditBlogPost,DeleteBlogPost} }, new PermissionStereotype { Name = "Moderator", diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Security/BlogAuthorizationEventHandler.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Security/BlogAuthorizationEventHandler.cs index fb0585f71..a815a90a1 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Security/BlogAuthorizationEventHandler.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Security/BlogAuthorizationEventHandler.cs @@ -37,11 +37,11 @@ namespace Orchard.Blogs.Security { } private static Permission GetOwnerVariation(Permission permission) { - if (permission.Name == Permissions.PublishOthersBlogPost.Name) + if (permission.Name == Permissions.PublishBlogPost.Name) return Permissions.PublishOwnBlogPost; - if (permission.Name == Permissions.EditOthersBlogPost.Name) + if (permission.Name == Permissions.EditBlogPost.Name) return Permissions.EditOwnBlogPost; - if (permission.Name == Permissions.DeleteOthersBlogPost.Name) + if (permission.Name == Permissions.DeleteBlogPost.Name) return Permissions.DeleteOwnBlogPost; return null; } diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs index bf06b98ac..4ab345b21 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs @@ -239,7 +239,7 @@ namespace Orchard.Blogs.Services { if (blogPost == null) throw new ArgumentException(); - _authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, blogPost); + _authorizationService.CheckAccess(Permissions.EditBlogPost, user, blogPost); var postStruct = CreateBlogStruct(blogPost, urlHelper); @@ -255,7 +255,7 @@ namespace Orchard.Blogs.Services { if (blogPost == null) throw new ArgumentException(); - _authorizationService.CheckAccess(publish ? Permissions.PublishOthersBlogPost : Permissions.EditOthersBlogPost, user, blogPost); + _authorizationService.CheckAccess(publish ? Permissions.PublishBlogPost : Permissions.EditBlogPost, user, blogPost); var title = content.Optional("title"); var description = content.Optional("description"); @@ -290,7 +290,7 @@ namespace Orchard.Blogs.Services { if (blogPost == null) throw new ArgumentException(); - _authorizationService.CheckAccess(Permissions.DeleteOthersBlogPost, user, blogPost); + _authorizationService.CheckAccess(Permissions.DeleteBlogPost, user, blogPost); foreach (var driver in drivers) driver.Process(blogPost.Id); From e44facf4ab2aea954075eaf9b4bb5c9bab7cb981 Mon Sep 17 00:00:00 2001 From: Louis DeJardin Date: Wed, 15 Dec 2010 22:22:58 -0800 Subject: [PATCH 3/5] Changing authorize calls to avoid demanding "Own" variations The demand is adjusted if the user is the owner - but the "Own" variation is never used directly --HG-- branch : 1.x --- .../Orchard.Blogs/Controllers/BlogPostAdminController.cs | 6 +++--- .../Modules/Orchard.Blogs/Services/XmlRpcHandler.cs | 9 +++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs index 556a3c151..423895fe5 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs @@ -32,7 +32,7 @@ namespace Orchard.Blogs.Controllers { public Localizer T { get; set; } public ActionResult Create() { - if (!Services.Authorizer.Authorize(Permissions.EditOwnBlogPost, T("Not allowed to create blog post"))) + if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, T("Not allowed to create blog post"))) return new HttpUnauthorizedResult(); var blogPost = Services.ContentManager.New("BlogPost"); @@ -56,14 +56,14 @@ namespace Orchard.Blogs.Controllers { [HttpPost, ActionName("Create")] [FormValueRequired("submit.Publish")] public ActionResult CreateAndPublishPOST() { - if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, T("Couldn't create blog post"))) + if (!Services.Authorizer.Authorize(Permissions.PublishBlogPost, T("Couldn't create blog post"))) return new HttpUnauthorizedResult(); return CreatePOST(contentItem => Services.ContentManager.Publish(contentItem)); } public ActionResult CreatePOST(Action conditionallyPublish) { - if (!Services.Authorizer.Authorize(Permissions.EditOwnBlogPost, T("Couldn't create blog post"))) + if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, T("Couldn't create blog post"))) return new HttpUnauthorizedResult(); var blogPost = Services.ContentManager.New("BlogPost"); diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs index 4ab345b21..dc41db9a3 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs @@ -128,11 +128,12 @@ namespace Orchard.Blogs.Services { IUser user = ValidateUser(userName, password); - // User needs to at least have permission to edit its own blog posts to access the service - _authorizationService.CheckAccess(Permissions.EditOwnBlogPost, user, null); XRpcArray array = new XRpcArray(); foreach (BlogPart blog in _blogService.Get()) { + // User needs to at least have permission to edit its own blog posts to access the service + _authorizationService.CheckAccess(Permissions.EditBlogPost, user, blog); + BlogPart blogPart = blog; array.Add(new XRpcStruct() .Set("url", urlHelper.AbsoluteAction(() => urlHelper.Blog(blogPart))) @@ -154,7 +155,7 @@ namespace Orchard.Blogs.Services { IUser user = ValidateUser(userName, password); // User needs to at least have permission to edit its own blog posts to access the service - _authorizationService.CheckAccess(Permissions.EditOwnBlogPost, user, null); + _authorizationService.CheckAccess(Permissions.EditBlogPost, user, null); BlogPart blog = _contentManager.Get(Convert.ToInt32(blogId)); if (blog == null) { @@ -184,7 +185,7 @@ namespace Orchard.Blogs.Services { IUser user = ValidateUser(userName, password); // User needs permission to edit or publish its own blog posts - _authorizationService.CheckAccess(publish ? Permissions.PublishOwnBlogPost : Permissions.EditOwnBlogPost, user, null); + _authorizationService.CheckAccess(publish ? Permissions.PublishBlogPost : Permissions.EditBlogPost, user, null); BlogPart blog = _contentManager.Get(Convert.ToInt32(blogId)); if (blog == null) From 9dde617b2999c186b8c7fae65fb7b3f5337e4e0a Mon Sep 17 00:00:00 2001 From: Renaud Paquay Date: Mon, 10 Jan 2011 13:53:33 -0800 Subject: [PATCH 4/5] Merge and fix remaining few permission checks --HG-- branch : 1.x --- .../Core/Contents/Controllers/AdminController.cs | 2 +- src/Orchard.Web/Modules/Orchard.Blogs/AdminMenu.cs | 6 +++--- src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs | 2 +- .../Modules/Orchard.PublishLater/Services/XmlRpcHandler.cs | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs b/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs index e2a09b931..79e7fb403 100644 --- a/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs +++ b/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs @@ -210,7 +210,7 @@ namespace Orchard.Core.Contents.Controllers { [HttpPost, ActionName("Create")] [FormValueRequired("submit.Publish")] public ActionResult CreateAndPublishPOST(string id) { - if (!Services.Authorizer.Authorize(Permissions.PublishOwnContent, T("Couldn't create content"))) + if (!Services.Authorizer.Authorize(Permissions.PublishContent, T("Couldn't create content"))) return new HttpUnauthorizedResult(); return CreatePOST(id, contentItem => _contentManager.Publish(contentItem)); diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/AdminMenu.cs b/src/Orchard.Web/Modules/Orchard.Blogs/AdminMenu.cs index 258b630ee..6d176f55f 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/AdminMenu.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/AdminMenu.cs @@ -26,16 +26,16 @@ namespace Orchard.Blogs { if (blogCount > 0 && singleBlog == null) { menu.Add(T("Manage Blogs"), "3", - item => item.Action("List", "BlogAdmin", new {area = "Orchard.Blogs"}).Permission(Permissions.MetaListOwnBlogs)); + item => item.Action("List", "BlogAdmin", new {area = "Orchard.Blogs"}).Permission(Permissions.MetaListBlogs)); } else if (singleBlog != null) menu.Add(T("Manage Blog"), "1.0", - item => item.Action("Item", "BlogAdmin", new { area = "Orchard.Blogs", blogId = singleBlog.Id }).Permission(Permissions.MetaListOwnBlogs)); + item => item.Action("Item", "BlogAdmin", new { area = "Orchard.Blogs", blogId = singleBlog.Id }).Permission(Permissions.MetaListBlogs)); if (singleBlog != null) menu.Add(T("Create New Post"), "1.1", item => - item.Action("Create", "BlogPostAdmin", new { area = "Orchard.Blogs", blogId = singleBlog.Id }).Permission(Permissions.PublishOwnBlogPost)); + item.Action("Create", "BlogPostAdmin", new { area = "Orchard.Blogs", blogId = singleBlog.Id }).Permission(Permissions.PublishBlogPost)); menu.Add(T("Create New Blog"), "1.2", item => diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs index e4a346ce8..16f6fec7d 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs @@ -13,7 +13,7 @@ namespace Orchard.Blogs { public static readonly Permission DeleteBlogPost = new Permission { Description = "Delete blog post for others", Name = "DeleteBlogPost", ImpliedBy = new[] { ManageBlogs } }; public static readonly Permission DeleteOwnBlogPost = new Permission { Description = "Delete own blog post", Name = "DeleteOwnBlogPost", ImpliedBy = new[] { DeleteBlogPost } }; - public static readonly Permission MetaListOthersBlogs = new Permission { ImpliedBy = new[] { EditBlogPost, PublishBlogPost, DeleteBlogPost } }; + public static readonly Permission MetaListBlogs = new Permission { ImpliedBy = new[] { EditBlogPost, PublishBlogPost, DeleteBlogPost } }; public static readonly Permission MetaListOwnBlogs = new Permission { ImpliedBy = new[] { EditOwnBlogPost, PublishOwnBlogPost, DeleteOwnBlogPost } }; public virtual Feature Feature { get; set; } diff --git a/src/Orchard.Web/Modules/Orchard.PublishLater/Services/XmlRpcHandler.cs b/src/Orchard.Web/Modules/Orchard.PublishLater/Services/XmlRpcHandler.cs index 5b825e326..5d8a1c91b 100644 --- a/src/Orchard.Web/Modules/Orchard.PublishLater/Services/XmlRpcHandler.cs +++ b/src/Orchard.Web/Modules/Orchard.PublishLater/Services/XmlRpcHandler.cs @@ -122,7 +122,7 @@ namespace Orchard.PublishLater.Services { if (contentItem == null || !contentItem.Is()) return; - _authorizationService.CheckAccess(Permissions.PublishOthersContent, user, null); + _authorizationService.CheckAccess(Permissions.PublishContent, user, null); contentItem.As().ScheduledPublishUtc.Value = publishedUtc; _publishingTaskManager.Publish(contentItem, (DateTime)publishedUtc); From 84766a2d87e03b57cd3f81c7c4f906bc96fda984 Mon Sep 17 00:00:00 2001 From: Louis DeJardin Date: Mon, 10 Jan 2011 13:59:06 -0800 Subject: [PATCH 5/5] Antiforgery token not verified for setup controller actions These actions are all anonymous, by definition, and antiforgery serves no purpose --HG-- branch : 1.x --- src/Orchard.Web/Modules/Orchard.Setup/Module.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Orchard.Web/Modules/Orchard.Setup/Module.txt b/src/Orchard.Web/Modules/Orchard.Setup/Module.txt index c916f5040..446a69aaf 100644 --- a/src/Orchard.Web/Modules/Orchard.Setup/Module.txt +++ b/src/Orchard.Web/Modules/Orchard.Setup/Module.txt @@ -1,5 +1,4 @@ Name: Setup -AntiForgery: enabled Author: The Orchard Team Website: http://orchardproject.net Version: 0.9.0