#18359: Fixing authorization checks

Work Item: 18359 --HG-- branch : 1.x
2025-09-19 01:57:55 +08:00 · 2012-01-19 17:37:12 -08:00
parent d764939439
commit 1ceb5f07d0
4 changed files with 33 additions and 9 deletions
--- a/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs
+++ b/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs
@@ -213,7 +213,7 @@ namespace Orchard.Core.Contents.Controllers {
        [HttpPost, ActionName("Create")]
        [FormValueRequired("submit.Publish")]
        public ActionResult CreateAndPublishPOST(string id, string returnUrl) {
-            if (!Services.Authorizer.Authorize(Permissions.PublishOwnContent, T("Couldn't create content")))
+            if (!Services.Authorizer.Authorize(Permissions.PublishContent, T("Couldn't create content")))
                return new HttpUnauthorizedResult();

            return CreatePOST(id, returnUrl, contentItem => _contentManager.Publish(contentItem));
@@ -326,6 +326,7 @@ namespace Orchard.Core.Contents.Controllers {
            return this.RedirectLocal(returnUrl, () => RedirectToAction("Edit", new RouteValueDictionary { { "Id", contentItem.Id } }));
        }

+        [HttpPost]
        public ActionResult Remove(int id, string returnUrl) {
            var contentItem = _contentManager.Get(id, VersionOptions.Latest);

--- a/src/Orchard.Web/Core/Contents/Views/Content.SummaryAdmin.cshtml
+++ b/src/Orchard.Web/Core/Contents/Views/Content.SummaryAdmin.cshtml
@@ -1,4 +1,5 @@
@using Orchard.ContentManagement;
+@using Orchard.Core.Contents
@using Orchard.Utility.Extensions;
@{
    ContentItem contentItem = Model.ContentItem;
@@ -17,8 +18,12 @@
    </div>
    <div class="related">
        @Display(Model.Actions)
-        @Html.ItemEditLink(T("Edit").Text, contentItem) @T(" | ")
-        @Html.Link(T("Delete").Text, Url.ItemRemoveUrl(contentItem, new { returnUrl }), new { itemprop = "RemoveUrl UnsafeUrl" })
+        @if (Authorizer.Authorize(Permissions.EditContent, contentItem)) {
+            @Html.ItemEditLink(T("Edit").Text, contentItem)@T(" | ")
+        }
+        @if (Authorizer.Authorize(Permissions.DeleteContent, contentItem)) {
+            @Html.Link(T("Delete").Text, Url.ItemRemoveUrl(contentItem, new {returnUrl}), new {itemprop = "RemoveUrl UnsafeUrl"})
+        }
    </div>
    @if (Model.Content != null) {
    <div class="primary">@Display(Model.Content)</div>
--- a/src/Orchard.Web/Core/Contents/Views/Parts.Contents.Publish.SummaryAdmin.cshtml
+++ b/src/Orchard.Web/Core/Contents/Views/Parts.Contents.Publish.SummaryAdmin.cshtml
@@ -1,4 +1,5 @@
@using Orchard.ContentManagement;
+@using Orchard.Core.Contents
@using Orchard.Utility.Extensions;
@{
    Script.Require("ShapesBase");
@@ -12,18 +13,24 @@
        @Html.Link(T("Publish Draft").Text, Url.Action("Publish", "Admin", new { area = "Contents", id = contentPart.ContentItem.Id, returnUrl = Request.ToUrlString() }), new { itemprop = "UnsafeUrl" })
        @T(" | ")

-        @Html.ActionLink(T("Preview").Text, "Preview", "Item", new { area = "Contents", id = ((ContentItem)Model.ContentPart.ContentItem).Id }, new { })
-        @T(" | ")
+        if (Authorizer.Authorize(Permissions.PublishContent, contentPart)) {
+            @Html.ActionLink(T("Preview").Text, "Preview", "Item", new {area = "Contents", id = ((ContentItem) Model.ContentPart.ContentItem).Id}, new {})
+            @T(" | ")
+        }
    }

-    @Html.Link(T("Unpublish").Text, Url.Action("Unpublish", "Admin", new { area = "Contents", id = contentPart.ContentItem.Id, returnUrl = Request.ToUrlString() }), new { itemprop = "UnsafeUrl" })
-    @T(" | ")
+    if (Authorizer.Authorize(Permissions.PublishContent, contentPart)) {
+        @Html.Link(T("Unpublish").Text, Url.Action("Unpublish", "Admin", new {area = "Contents", id = contentPart.ContentItem.Id, returnUrl = Request.ToUrlString()}), new {itemprop = "UnsafeUrl"})
+        @T(" | ")
+    }
 } else {
    if ( contentPart.HasDraft() ) {    
        @Html.ActionLink(T("Preview").Text, "Preview", "Item", new { area = "Contents", id = ((ContentItem)Model.ContentPart.ContentItem).Id }, new { })
        @T(" | ")
    }

-    @Html.Link(T("Publish").Text, Url.Action("Publish", "Admin", new { area = "Contents", id = contentPart.ContentItem.Id, returnUrl = Request.ToUrlString() }), new { itemprop = "UnsafeUrl" })
-    @T(" | ")
+    if (Authorizer.Authorize(Permissions.PublishContent, contentPart)) {
+        @Html.Link(T("Publish").Text, Url.Action("Publish", "Admin", new {area = "Contents", id = contentPart.ContentItem.Id, returnUrl = Request.ToUrlString()}), new {itemprop = "UnsafeUrl"})
+        @T(" | ")
+    }
 }
--- a/src/Orchard/Security/Authorizer.cs
+++ b/src/Orchard/Security/Authorizer.cs
@@ -22,6 +22,13 @@ namespace Orchard.Security {
        /// <param name="message">A localized message to display if authorization fails</param>
        bool Authorize(Permission permission, LocalizedString message);

+        /// <summary>
+        /// Authorize the current user against a permission for a specified content item;
+        /// </summary>
+        /// <param name="permission">A permission to authorize against</param>
+        /// <param name="content">A content item the permission will be checked for</param>
+        bool Authorize(Permission permission, IContent content);
+
        /// <summary>
        /// Authorize the current user against a permission for a specified content item;
        /// if authorization fails, the specified message will be displayed
@@ -57,6 +64,10 @@ namespace Orchard.Security {
            return Authorize(permission, null, message);
        }

+        public bool Authorize(Permission permission, IContent content) {
+            return Authorize(permission, content, null);
+        }
+
        public bool Authorize(Permission permission, IContent content, LocalizedString message) {
            if (_authorizationService.TryCheckAccess(permission, _workContextAccessor.GetContext().CurrentUser, content))
                return true;