#17322: Restricting access to webconsole to default tenant.

--HG--
branch : 1.x

src/Orchard.Web/Modules/Orchard.Experimental/Controllers/CommandsController.cs

@@ -4,10 +4,12 @@ using System.IO;
 using System.Linq;
 using System.Web.Mvc;
 using Orchard.Commands;
+using Orchard.Environment.Configuration;
 using Orchard.Experimental.ViewModels;
 using Orchard.Environment.Extensions;
 using Orchard.Localization;
 using Orchard.Logging;
+using Orchard.Security;
 using Orchard.Themes;
 using Orchard.UI.Admin;
 using Orchard.Utility.Extensions;
@@ -15,11 +17,15 @@ using Orchard.Utility.Extensions;
 namespace Orchard.Experimental.Controllers {
     [Themed, Admin, OrchardFeature("Orchard.Experimental.WebCommandLine")]
     public class CommandsController : Controller {
+        private readonly ShellSettings _shellSettings;
         private readonly ICommandManager _commandManager;
 
-        public CommandsController(ICommandManager commandManager, IOrchardServices services) {
+        public CommandsController(ShellSettings shellSettings, ICommandManager commandManager, IOrchardServices services) {
+            _shellSettings = shellSettings;
             _commandManager = commandManager;
+
             Services = services;
+
             T = NullLocalizer.Instance;
             Logger = NullLogger.Instance;
         }
@@ -33,11 +39,17 @@ namespace Orchard.Experimental.Controllers {
         }
 
         public ActionResult Execute() {
+            if (_shellSettings.Name != ShellSettings.DefaultName || !Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to use the web console")))
+                return new HttpUnauthorizedResult();
+
             return View("Execute", new CommandsExecuteViewModel());
         }
 
         [HttpPost]
         public ActionResult Execute(CommandsExecuteViewModel model) {
+            if (_shellSettings.Name != ShellSettings.DefaultName || !Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to use the web console")))
+                return new HttpUnauthorizedResult();
+
             try {
                 using (var writer = new StringWriter()) {
                     var commandLine = model.CommandLine.Trim();

src/Orchard.Web/Modules/Orchard.Media/Controllers/AdminController.cs

@@ -1,7 +1,6 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
-using System.Web;
 using System.Web.Mvc;
 using Orchard.Core.Contents.Controllers;
 using Orchard.Localization;

src/Orchard.Web/Modules/Orchard.MultiTenancy/Controllers/AdminController.cs

@@ -8,7 +8,6 @@ using Orchard.Logging;
 using Orchard.MultiTenancy.Services;
 using Orchard.MultiTenancy.ViewModels;
 using Orchard.Security;
-using Orchard.UI.Notify;
 using Orchard.Utility.Extensions;
 
 namespace Orchard.MultiTenancy.Controllers {
@@ -105,40 +104,39 @@ namespace Orchard.MultiTenancy.Controllers {
 
         [HttpPost, ActionName("Edit")]
         public ActionResult EditPost(TenantEditViewModel viewModel) {
-           
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Couldn't edit tenant")))
-                if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Couldn't edit tenant")))
+                return new HttpUnauthorizedResult();
-                    return new HttpUnauthorizedResult();
 
-                if ( !EnsureDefaultTenant() )
+            if ( !EnsureDefaultTenant() )
-                    return new HttpUnauthorizedResult();
+                return new HttpUnauthorizedResult();
 
-                var tenant = _tenantService.GetTenants().FirstOrDefault(ss => ss.Name == viewModel.Name);
+            var tenant = _tenantService.GetTenants().FirstOrDefault(ss => ss.Name == viewModel.Name);
-                if (tenant == null)
+            if (tenant == null)
-                    return HttpNotFound();
+                return HttpNotFound();
 
-                if (!ModelState.IsValid) {
+            if (!ModelState.IsValid) {
-                    return View(viewModel);
+                return View(viewModel);
-                }
+            }
 
-                try {
+            try {
-                    _tenantService.UpdateTenant(
+                _tenantService.UpdateTenant(
-                        new ShellSettings
+                    new ShellSettings
-                        {
+                    {
-                            Name = tenant.Name,
+                        Name = tenant.Name,
-                            RequestUrlHost = viewModel.RequestUrlHost,
+                        RequestUrlHost = viewModel.RequestUrlHost,
-                            RequestUrlPrefix = viewModel.RequestUrlPrefix,
+                        RequestUrlPrefix = viewModel.RequestUrlPrefix,
-                            DataProvider = viewModel.DataProvider,
+                        DataProvider = viewModel.DataProvider,
-                            DataConnectionString = viewModel.DatabaseConnectionString,
+                        DataConnectionString = viewModel.DatabaseConnectionString,
-                            DataTablePrefix = viewModel.DatabaseTablePrefix,
+                        DataTablePrefix = viewModel.DatabaseTablePrefix,
-                            State = tenant.State
+                        State = tenant.State
-                        });
+                    });
 
-                    return RedirectToAction("Index");
+                return RedirectToAction("Index");
-                }
+            }
-                catch (Exception exception) {
+            catch (Exception exception) {
-                    this.Error(exception, T("Failed to edit tenant: {0} ", exception.Message), Logger, Services.Notifier);
+                this.Error(exception, T("Failed to edit tenant: {0} ", exception.Message), Logger, Services.Notifier);
-                    return View(viewModel);
+                return View(viewModel);
-                }
+            }
         }
 
         [HttpPost]