16974 Create and edit actions don't use the correct permissions

--HG-- branch : dev
2025-10-15 19:54:57 +08:00 · 2010-12-08 18:58:04 -08:00
parent d8a02d4f3e
commit 429fabd93c
2 changed files with 26 additions and 0 deletions
--- a/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs
+++ b/src/Orchard.Web/Core/Contents/Controllers/AdminController.cs
@@ -207,6 +207,9 @@ namespace Orchard.Core.Contents.Controllers {
        [HttpPost, ActionName("Create")]
        [FormValueRequired("submit.Publish")]
        public ActionResult CreateAndPublishPOST(string id) {
+            if (!Services.Authorizer.Authorize(Permissions.PublishOwnContent, T("Couldn't create content")))
+                return new HttpUnauthorizedResult();
+
            return CreatePOST(id, contentItem => _contentManager.Publish(contentItem));
        }

@@ -259,6 +262,14 @@ namespace Orchard.Core.Contents.Controllers {
        [HttpPost, ActionName("Edit")]
        [FormValueRequired("submit.Publish")]
        public ActionResult EditAndPublishPOST(int id, string returnUrl) {
+            var content = _contentManager.Get(id, VersionOptions.DraftRequired);
+
+            if (content == null)
+                return HttpNotFound();
+
+            if (!Services.Authorizer.Authorize(Permissions.PublishOthersContent, content, T("Couldn't publish content")))
+                return new HttpUnauthorizedResult();
+
            return EditPOST(id, returnUrl, contentItem => _contentManager.Publish(contentItem));
        }

--- a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
@@ -53,6 +53,9 @@ namespace Orchard.Blogs.Controllers {
        [HttpPost, ActionName("Create")]
        [FormValueRequired("submit.Publish")]
        public ActionResult CreateAndPublishPOST() {
+            if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, T("Couldn't create blog post")))
+                return new HttpUnauthorizedResult();
+
            return CreatePOST(contentItem => Services.ContentManager.Publish(contentItem));
        }

@@ -109,6 +112,18 @@ namespace Orchard.Blogs.Controllers {
        [HttpPost, ActionName("Edit")]
        [FormValueRequired("submit.Publish")]
        public ActionResult EditAndPublishPOST(int blogId, int postId, string returnUrl) {
+            var blog = _blogService.Get(blogId, VersionOptions.Latest);
+            if (blog == null)
+                return HttpNotFound();
+
+            // Get draft (create a new version if needed)
+            var blogPost = _blogPostService.Get(postId, VersionOptions.DraftRequired);
+            if (blogPost == null)
+                return HttpNotFound();
+
+            if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, blogPost, T("Couldn't publish blog post")))
+                return new HttpUnauthorizedResult();
+
            return EditPOST(blogId, postId, returnUrl, contentItem => Services.ContentManager.Publish(contentItem));
        }