lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-10-14 10:54:50 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

16451 Role without check “Edit any blog posts” can edit posts by others if he has "EditOwn" permission

Browse Source 
--HG--
branch : dev
This commit is contained in:
Suha Can
2010-12-10 11:43:12 -08:00
parent ce506d2bf9
commit 1ea1551ba6
3 changed files with 55 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
View File

@@ -9,6 +9,8 @@ using Orchard.ContentManagement.Aspects;
using Orchard.Core.Contents.Settings;
using Orchard.Localization;
using Orchard.Mvc.AntiForgery;
using Orchard.Security;
using Orchard.Security.Permissions;
using Orchard.UI.Admin;
using Orchard.UI.Notify;
@@ -84,9 +86,6 @@ namespace Orchard.Blogs.Controllers {
//todo: the content shape template has extra bits that the core contents module does not (remove draft functionality)
//todo: - move this extra functionality there or somewhere else that's appropriate?
public ActionResult Edit(int blogId, int postId) {
if (!Services.Authorizer.Authorize(Permissions.EditOwnBlogPost, T("Couldn't edit blog post")))
return new HttpUnauthorizedResult();
var blog = _blogService.Get(blogId, VersionOptions.Latest);
if (blog == null)
return HttpNotFound();
@@ -95,6 +94,9 @@ namespace Orchard.Blogs.Controllers {
if (post == null)
return HttpNotFound();
if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, post.ContentItem, T("Couldn't edit blog post")))
return new HttpUnauthorizedResult();
dynamic model = Services.ContentManager.BuildEditor(post);
// Casting to avoid invalid (under medium trust) reflection over the protected View method and force a static invocation.
return View((object)model);

1
src/Orchard.Web/Modules/Orchard.Blogs/Orchard.Blogs.csproj
View File

@@ -82,6 +82,7 @@
<Compile Include="Routing\IsArchiveConstraint.cs" />
<Compile Include="Routing\BlogSlugConstraint.cs" />
<Compile Include="Routing\BlogSlugConstraintUpdator.cs" />
<Compile Include="Security\BlogAuthorizationEventHandler.cs" />
<Compile Include="Services\BlogService.cs" />
<Compile Include="Controllers\BlogController.cs" />
<Compile Include="Models\BlogPart.cs" />

49
src/Orchard.Web/Modules/Orchard.Blogs/Security/BlogAuthorizationEventHandler.cs Normal file
View File

@@ -0,0 +1,49 @@
using JetBrains.Annotations;
using Orchard.ContentManagement;
using Orchard.ContentManagement.Aspects;
using Orchard.Security;
using Orchard.Security.Permissions;
namespace Orchard.Blogs.Security {
[UsedImplicitly]
public class BlogAuthorizationEventHandler : IAuthorizationServiceEventHandler {
public void Checking(CheckAccessContext context) { }
public void Complete(CheckAccessContext context) { }
public void Adjust(CheckAccessContext context) {
if (!context.Granted &&
context.Content.Is<ICommonPart>()) {
if (OwnerVariationExists(context.Permission) &&
HasOwnership(context.User, context.Content)) {
context.Adjusted = true;
context.Permission = GetOwnerVariation(context.Permission);
}
}
}
private static bool HasOwnership(IUser user, IContent content) {
if (user == null || content == null)
return false;
var common = content.As<ICommonPart>();
if (common == null || common.Owner == null)
return false;
return user.Id == common.Owner.Id;
}
private static bool OwnerVariationExists(Permission permission) {
return GetOwnerVariation(permission) != null;
}
private static Permission GetOwnerVariation(Permission permission) {
if (permission.Name == Permissions.PublishOthersBlogPost.Name)
return Permissions.PublishOwnBlogPost;
if (permission.Name == Permissions.EditOthersBlogPost.Name)
return Permissions.EditOwnBlogPost;
if (permission.Name == Permissions.DeleteOthersBlogPost.Name)
return Permissions.DeleteOwnBlogPost;
return null;
}
}
}