#19245: Adding missing permission check in ItemController for containers.

Work Item: 19245 --HG-- branch : 1.x
2025-10-15 19:54:57 +08:00 · 2013-06-21 22:36:05 +02:00
parent ab5153ea8b
commit 5e6fe8e253
1 changed files with 15 additions and 4 deletions
--- a/src/Orchard.Web/Core/Containers/Controllers/ItemController.cs
+++ b/src/Orchard.Web/Core/Containers/Controllers/ItemController.cs
@@ -6,6 +6,7 @@ using Orchard.ContentManagement;
 using Orchard.Core.Common.Models;
 using Orchard.Core.Containers.Extensions;
 using Orchard.Core.Containers.Models;
+using Orchard.Core.Contents;
 using Orchard.Core.Feeds;
 using Orchard.DisplayManagement;
 using Orchard.Mvc;
@@ -25,28 +26,38 @@ namespace Orchard.Core.Containers.Controllers {
            IContentManager contentManager, 
            IShapeFactory shapeFactory,
            ISiteService siteService,
-            IFeedManager feedManager) {
+            IFeedManager feedManager, 
+            IOrchardServices services) {

            _contentManager = contentManager;
            _siteService = siteService;
            _feedManager = feedManager;
            Shape = shapeFactory;
+            Services = services;
            T = NullLocalizer.Instance;
        }

        dynamic Shape { get; set; }
+        public IOrchardServices Services { get; private set; }

        public Localizer T { get; set; }
        [Themed]
        public ActionResult Display(int id, PagerParameters pagerParameters) {
+            var container = _contentManager
+                .Get(id, VersionOptions.Published)
+                .As<ContainerPart>();

-            var container = _contentManager.Get(id).As<ContainerPart>();
-            if (container==null)
+            if (container == null) {
                return HttpNotFound(T("Container not found").Text);
+            }
+
+            if (!Services.Authorizer.Authorize(Permissions.ViewContent, container, T("Cannot view content"))) {
+                return new HttpUnauthorizedResult();
+            }

            // TODO: (PH) Find a way to apply PagerParameters via a driver so we can lose this controller
            container.PagerParameters = pagerParameters;
-            var model = _contentManager.BuildDisplay(container, "Detail");
+            var model = _contentManager.BuildDisplay(container);

            return new ShapeResult(this, model);
        }