lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-10-15 19:54:57 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Adding some auth checks in content CRUD (from Orchard.Pages)

Browse Source 
--HG--
branch : dev
This commit is contained in:
Nathan Heskew
2010-07-22 15:40:27 -07:00
parent 77e73c70e1
commit 08cc911948
5 changed files with 97 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Orchard.Web/Core/Common/Permissions.cs
View File

@@ -20,7 +20,7 @@ namespace Orchard.Core.Common {
new PermissionStereotype {
Name = "Administrator",
Permissions = new[] {ChangeOwner}
}
},
};
}
}

57
src/Orchard.Web/Core/Common/Security/AuthorizationEventHandler.cs Normal file
View File

@@ -0,0 +1,57 @@
using JetBrains.Annotations;
using Orchard.ContentManagement;
using Orchard.ContentManagement.Aspects;
using Orchard.Core.Common.Models;
using Orchard.Security;
using Orchard.Security.Permissions;
namespace Orchard.Core.Common.Security
{
[UsedImplicitly]
public class AuthorizationEventHandler : IAuthorizationServiceEventHandler
{
public void Checking(CheckAccessContext context) { }
public void Complete(CheckAccessContext context) { }
public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Content.Is<CommonPart>() &&
OwnerVariationExists(context.Permission) &&
HasOwnership(context.User, context.Content))
{
context.Adjusted = true;
context.Permission = GetOwnerVariation(context.Permission);
}
}
private static bool HasOwnership(IUser user, IContent content)
{
if (user == null || content == null)
return false;
var common = content.As<ICommonPart>();
if (common == null || common.Owner == null)
return false;
return user.Id == common.Owner.Id;
}
private static bool OwnerVariationExists(Permission permission)
{
return GetOwnerVariation(permission) != null;
}
private static Permission GetOwnerVariation(Permission permission)
{
if (permission.Name == Contents.Permissions.PublishOthersContent.Name)
return Contents.Permissions.PublishContent;
if (permission.Name == Contents.Permissions.EditOthersContent.Name)
return Contents.Permissions.EditContent;
if (permission.Name == Contents.Permissions.DeleteOthersContent.Name)
return Contents.Permissions.DeleteContent;
return null;
}
}
}

47
src/Orchard.Web/Core/Contents/Controllers/AdminController.cs
View File

@@ -134,34 +134,38 @@ namespace Orchard.Core.Contents.Controllers {
[HttpPost, ActionName("List")]
[FormValueRequired("submit.BulkEdit")]
public ActionResult ListPOST(ContentOptions options, IEnumerable<int> itemIds, string returnUrl) {
var accessChecked = false;
switch (options.BulkAction) {
case ContentsBulkAction.None:
break;
case ContentsBulkAction.PublishNow:
if (!Services.Authorizer.Authorize(Permissions.PublishContent, T("Couldn't publish selected content.")))
foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) {
if (!accessChecked && !Services.Authorizer.Authorize(Permissions.PublishContent, item, T("Couldn't publish selected content.")))
return new HttpUnauthorizedResult();
foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) {
accessChecked = true;
_contentManager.Publish(item);
Services.ContentManager.Flush();
}
Services.Notifier.Information(T("Content successfully published."));
break;
case ContentsBulkAction.Unpublish:
if (!Services.Authorizer.Authorize(Permissions.PublishContent, T("Couldn't unpublish selected content.")))
foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) {
if (!accessChecked && !Services.Authorizer.Authorize(Permissions.PublishContent, item, T("Couldn't unpublish selected content.")))
return new HttpUnauthorizedResult();
foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) {
accessChecked = true;
_contentManager.Unpublish(item);
Services.ContentManager.Flush();
}
Services.Notifier.Information(T("Content successfully unpublished."));
break;
case ContentsBulkAction.Remove:
if (!Services.Authorizer.Authorize(Permissions.PublishContent, T("Couldn't delete selected content.")))
foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) {
if (!accessChecked && !Services.Authorizer.Authorize(Permissions.DeleteContent, item, T("Couldn't remove selected content.")))
return new HttpUnauthorizedResult();
foreach (var item in itemIds.Select(itemId => _contentManager.GetLatest(itemId))) {
accessChecked = true;
_contentManager.Remove(item);
Services.ContentManager.Flush();
}
@@ -210,6 +214,10 @@ namespace Orchard.Core.Contents.Controllers {
return CreatableTypeList();
var contentItem = _contentManager.New(id);
if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Cannot create content")))
return new HttpUnauthorizedResult();
var model = new CreateItemViewModel {
Id = id,
Content = _contentManager.BuildEditorModel(contentItem)
@@ -221,8 +229,11 @@ namespace Orchard.Core.Contents.Controllers {
[HttpPost]
public ActionResult Create(CreateItemViewModel model) {
//todo: need to integrate permissions into generic content management
var contentItem = _contentManager.New(model.Id);
if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Couldn't create content")))
return new HttpUnauthorizedResult();
_contentManager.Create(contentItem, VersionOptions.Draft);
model.Content = _contentManager.UpdateEditorModel(contentItem, this);
@@ -246,6 +257,9 @@ namespace Orchard.Core.Contents.Controllers {
if (contentItem == null)
return new NotFoundResult();
if (!Services.Authorizer.Authorize(Permissions.EditOthersContent, contentItem, T("Cannot edit content")))
return new HttpUnauthorizedResult();
var model = new EditItemViewModel {
Id = id,
Content = _contentManager.BuildEditorModel(contentItem)
@@ -263,6 +277,9 @@ namespace Orchard.Core.Contents.Controllers {
if (contentItem == null)
return new NotFoundResult();
if (!Services.Authorizer.Authorize(Permissions.EditOthersContent, contentItem, T("Couldn't edit content")))
return new HttpUnauthorizedResult();
model.Content = _contentManager.UpdateEditorModel(contentItem, this);
if (!ModelState.IsValid) {
_transactionManager.Cancel();
@@ -280,6 +297,10 @@ namespace Orchard.Core.Contents.Controllers {
[HttpPost, ActionName("Remove")]
public ActionResult RemovePOST(int id, string returnUrl) {
var contentItem = _contentManager.Get(id, VersionOptions.Latest);
if (!Services.Authorizer.Authorize(Permissions.DeleteOthersContent, contentItem, T("Couldn't remove content")))
return new HttpUnauthorizedResult();
if (contentItem != null)
_contentManager.Remove(contentItem);
@@ -291,13 +312,13 @@ namespace Orchard.Core.Contents.Controllers {
[HttpPost]
public ActionResult Publish(int id, string returnUrl) {
if (!Services.Authorizer.Authorize(Permissions.PublishContent, T("Couldn't publish content")))
return new HttpUnauthorizedResult();
var contentItem = _contentManager.GetLatest(id);
if (contentItem == null)
return new NotFoundResult();
if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Couldn't publish content")))
return new HttpUnauthorizedResult();
_contentManager.Publish(contentItem);
Services.ContentManager.Flush();
Services.Notifier.Information(T("{0} successfully published.", contentItem.TypeDefinition.DisplayName));
@@ -310,13 +331,13 @@ namespace Orchard.Core.Contents.Controllers {
[HttpPost]
public ActionResult Unpublish(int id, string returnUrl) {
if (!Services.Authorizer.Authorize(Permissions.PublishContent, T("Couldn't unpublish content")))
return new HttpUnauthorizedResult();
var contentItem = _contentManager.GetLatest(id);
if (contentItem == null)
return new NotFoundResult();
if (!Services.Authorizer.Authorize(Permissions.PublishContent, contentItem, T("Couldn't unpublish content")))
return new HttpUnauthorizedResult();
_contentManager.Unpublish(contentItem);
Services.ContentManager.Flush();
Services.Notifier.Information(T("{0} successfully unpublished.", contentItem.TypeDefinition.DisplayName));

2
src/Orchard.Web/Core/Contents/Permissions.cs
View File

@@ -19,7 +19,7 @@ namespace Orchard.Core.Contents {
}
public IEnumerable<Permission> GetPermissions() {
return new Permission[] {
return new [] {
EditContent,
EditOthersContent,
PublishContent,

1
src/Orchard.Web/Core/Orchard.Core.csproj
View File

@@ -67,6 +67,7 @@
<Compile Include="Common\Drivers\TextFieldDriver.cs" />
<Compile Include="Common\Extensions\HtmlHelperExtensions.cs" />
<Compile Include="Common\Fields\TextField.cs" />
<Compile Include="Common\Security\AuthorizationEventHandler.cs" />
<Compile Include="ContentsLocation\Models\LocationDefinition.cs" />
<Compile Include="Common\Services\ICommonService.cs" />
<Compile Include="Common\Services\CommonService.cs" />