mirror of
https://github.com/OrchardCMS/Orchard.git
synced 2025-10-15 19:54:57 +08:00
16451 Role without check “Edit any blog posts” can edit posts by others if he has "EditOwn" permission
--HG-- branch : dev
This commit is contained in:
Suha Can
@@ -9,6 +9,8 @@ using Orchard.ContentManagement.Aspects;
|
|||||||
using Orchard.Core.Contents.Settings;
|
using Orchard.Core.Contents.Settings;
|
||||||
using Orchard.Localization;
|
using Orchard.Localization;
|
||||||
using Orchard.Mvc.AntiForgery;
|
using Orchard.Mvc.AntiForgery;
|
||||||
|
using Orchard.Security;
|
||||||
|
using Orchard.Security.Permissions;
|
||||||
using Orchard.UI.Admin;
|
using Orchard.UI.Admin;
|
||||||
using Orchard.UI.Notify;
|
using Orchard.UI.Notify;
|
||||||
|
|
||||||
@@ -84,9 +86,6 @@ namespace Orchard.Blogs.Controllers {
|
|||||||
//todo: the content shape template has extra bits that the core contents module does not (remove draft functionality)
|
//todo: the content shape template has extra bits that the core contents module does not (remove draft functionality)
|
||||||
//todo: - move this extra functionality there or somewhere else that's appropriate?
|
//todo: - move this extra functionality there or somewhere else that's appropriate?
|
||||||
public ActionResult Edit(int blogId, int postId) {
|
public ActionResult Edit(int blogId, int postId) {
|
||||||
if (!Services.Authorizer.Authorize(Permissions.EditOwnBlogPost, T("Couldn't edit blog post")))
|
|
||||||
return new HttpUnauthorizedResult();
|
|
||||||
|
|
||||||
var blog = _blogService.Get(blogId, VersionOptions.Latest);
|
var blog = _blogService.Get(blogId, VersionOptions.Latest);
|
||||||
if (blog == null)
|
if (blog == null)
|
||||||
return HttpNotFound();
|
return HttpNotFound();
|
||||||
@@ -95,6 +94,9 @@ namespace Orchard.Blogs.Controllers {
|
|||||||
if (post == null)
|
if (post == null)
|
||||||
return HttpNotFound();
|
return HttpNotFound();
|
||||||
|
|
||||||
|
if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, post.ContentItem, T("Couldn't edit blog post")))
|
||||||
|
return new HttpUnauthorizedResult();
|
||||||
|
|
||||||
dynamic model = Services.ContentManager.BuildEditor(post);
|
dynamic model = Services.ContentManager.BuildEditor(post);
|
||||||
// Casting to avoid invalid (under medium trust) reflection over the protected View method and force a static invocation.
|
// Casting to avoid invalid (under medium trust) reflection over the protected View method and force a static invocation.
|
||||||
return View((object)model);
|
return View((object)model);
|
||||||
|
|||||||
@@ -82,6 +82,7 @@
|
|||||||
<Compile Include="Routing\IsArchiveConstraint.cs" />
|
<Compile Include="Routing\IsArchiveConstraint.cs" />
|
||||||
<Compile Include="Routing\BlogSlugConstraint.cs" />
|
<Compile Include="Routing\BlogSlugConstraint.cs" />
|
||||||
<Compile Include="Routing\BlogSlugConstraintUpdator.cs" />
|
<Compile Include="Routing\BlogSlugConstraintUpdator.cs" />
|
||||||
|
<Compile Include="Security\BlogAuthorizationEventHandler.cs" />
|
||||||
<Compile Include="Services\BlogService.cs" />
|
<Compile Include="Services\BlogService.cs" />
|
||||||
<Compile Include="Controllers\BlogController.cs" />
|
<Compile Include="Controllers\BlogController.cs" />
|
||||||
<Compile Include="Models\BlogPart.cs" />
|
<Compile Include="Models\BlogPart.cs" />
|
||||||
|
|||||||
@@ -0,0 +1,49 @@
|
|||||||
|
using JetBrains.Annotations;
|
||||||
|
using Orchard.ContentManagement;
|
||||||
|
using Orchard.ContentManagement.Aspects;
|
||||||
|
using Orchard.Security;
|
||||||
|
using Orchard.Security.Permissions;
|
||||||
|
|
||||||
|
namespace Orchard.Blogs.Security {
|
||||||
|
[UsedImplicitly]
|
||||||
|
public class BlogAuthorizationEventHandler : IAuthorizationServiceEventHandler {
|
||||||
|
public void Checking(CheckAccessContext context) { }
|
||||||
|
public void Complete(CheckAccessContext context) { }
|
||||||
|
|
||||||
|
public void Adjust(CheckAccessContext context) {
|
||||||
|
if (!context.Granted &&
|
||||||
|
context.Content.Is<ICommonPart>()) {
|
||||||
|
if (OwnerVariationExists(context.Permission) &&
|
||||||
|
HasOwnership(context.User, context.Content)) {
|
||||||
|
context.Adjusted = true;
|
||||||
|
context.Permission = GetOwnerVariation(context.Permission);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static bool HasOwnership(IUser user, IContent content) {
|
||||||
|
if (user == null || content == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var common = content.As<ICommonPart>();
|
||||||
|
if (common == null || common.Owner == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return user.Id == common.Owner.Id;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static bool OwnerVariationExists(Permission permission) {
|
||||||
|
return GetOwnerVariation(permission) != null;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static Permission GetOwnerVariation(Permission permission) {
|
||||||
|
if (permission.Name == Permissions.PublishOthersBlogPost.Name)
|
||||||
|
return Permissions.PublishOwnBlogPost;
|
||||||
|
if (permission.Name == Permissions.EditOthersBlogPost.Name)
|
||||||
|
return Permissions.EditOwnBlogPost;
|
||||||
|
if (permission.Name == Permissions.DeleteOthersBlogPost.Name)
|
||||||
|
return Permissions.DeleteOwnBlogPost;
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user