lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-10-21 03:14:10 +08:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

#18455: Fixing XmlRpc front end access

Browse Source 
Work Item: 18455

--HG--
branch : 1.x
This commit is contained in:
Sebastien Ros
2012-02-24 17:51:25 -08:00
parent f37ab46ee9
commit 62a67e9a7b
9 changed files with 41 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Orchard.Web/Core/XmlRpc/Controllers/HomeController.cs
View File

@@ -6,6 +6,7 @@ using System.Web.Mvc;
using Orchard.Core.XmlRpc.Models;
using Orchard.Core.XmlRpc.Services;
using Orchard.Logging;
using Orchard.Security;
namespace Orchard.Core.XmlRpc.Controllers {
public class HomeController : Controller {
@@ -24,6 +25,7 @@ namespace Orchard.Core.XmlRpc.Controllers {
public ILogger Logger { get; set; }
[HttpPost, ActionName("Index")]
[AlwaysAccessible]
public ActionResult ServiceEndpoint(XRpcMethodCall methodCall) {
Logger.Debug("XmlRpc methodName {0}", methodCall.MethodName);
var methodResponse = Dispatch(methodCall);

2
src/Orchard.Web/Core/XmlRpc/Controllers/LiveWriterController.cs
View File

@@ -4,6 +4,7 @@ using System.Web;
using System.Web.Mvc;
using System.Xml.Linq;
using Orchard.Logging;
using Orchard.Security;
namespace Orchard.Core.XmlRpc.Controllers {
public class LiveWriterController : Controller {
@@ -18,6 +19,7 @@ namespace Orchard.Core.XmlRpc.Controllers {
protected ILogger Logger { get; set; }
[NoCache]
[AlwaysAccessible]
public ActionResult Manifest() {
Logger.Debug("Manifest requested");

9
src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs
View File

@@ -47,6 +47,7 @@ namespace Orchard.Users.Controllers {
public ILogger Logger { get; set; }
public Localizer T { get; set; }
[AlwaysAccessible]
public ActionResult AccessDenied() {
var returnUrl = Request.QueryString["ReturnUrl"];
var currentUser = _authenticationService.GetAuthenticatedUser();
@@ -68,6 +69,7 @@ namespace Orchard.Users.Controllers {
return View();
}
[AlwaysAccessible]
public ActionResult LogOn() {
if (_authenticationService.GetAuthenticatedUser() != null)
return Redirect("~/");
@@ -77,6 +79,7 @@ namespace Orchard.Users.Controllers {
}
[HttpPost]
[AlwaysAccessible]
[SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
Justification = "Needs to take same parameter type as Controller.Redirect()")]
public ActionResult LogOn(string userNameOrEmail, string password, string returnUrl) {
@@ -110,6 +113,7 @@ namespace Orchard.Users.Controllers {
}
}
[AlwaysAccessible]
public ActionResult Register() {
// ensure users can register
var registrationSettings = _orchardServices.WorkContext.CurrentSite.As<RegistrationSettingsPart>();
@@ -124,6 +128,7 @@ namespace Orchard.Users.Controllers {
}
[HttpPost]
[AlwaysAccessible]
public ActionResult Register(string userName, string email, string password, string confirmPassword) {
// ensure users can register
var registrationSettings = _orchardServices.WorkContext.CurrentSite.As<RegistrationSettingsPart>();
@@ -169,6 +174,7 @@ namespace Orchard.Users.Controllers {
return new ShapeResult(this, shape);
}
[AlwaysAccessible]
public ActionResult RequestLostPassword() {
// ensure users can request lost password
var registrationSettings = _orchardServices.WorkContext.CurrentSite.As<RegistrationSettingsPart>();
@@ -180,6 +186,7 @@ namespace Orchard.Users.Controllers {
}
[HttpPost]
[AlwaysAccessible]
public ActionResult RequestLostPassword(string username) {
// ensure users can request lost password
var registrationSettings = _orchardServices.WorkContext.CurrentSite.As<RegistrationSettingsPart>();
@@ -200,6 +207,7 @@ namespace Orchard.Users.Controllers {
}
[Authorize]
[AlwaysAccessible]
public ActionResult ChangePassword() {
ViewData["PasswordLength"] = MinPasswordLength;
@@ -208,6 +216,7 @@ namespace Orchard.Users.Controllers {
[Authorize]
[HttpPost]
[AlwaysAccessible]
[SuppressMessage("Microsoft.Design", "CA1031:DoNotCatchGeneralExceptionTypes",
Justification = "Exceptions result in password not being changed.")]
public ActionResult ChangePassword(string currentPassword, string newPassword, string confirmPassword) {

1
src/Orchard.Web/Modules/Orchard.Users/Orchard.Users.csproj
View File

@@ -72,7 +72,6 @@
<Compile Include="Models\UserPartRecord.cs" />
<Compile Include="Models\UserStatus.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="Security\AccessFrontEndFilter.cs" />
<Compile Include="Services\IUserService.cs" />
<Compile Include="Services\MembershipService.cs" />
<Compile Include="AdminMenu.cs" />

32
src/Orchard.Web/Modules/Orchard.Users/Security/AccessFrontEndFilter.cs
View File

@@ -1,32 +0,0 @@
using System.Web.Mvc;
using Orchard.Localization;
using Orchard.Mvc.Filters;
using Orchard.Security;
using Orchard.UI.Admin;
namespace Orchard.Users.Security {
public class FrontEndFilter : FilterProvider, IAuthorizationFilter {
private readonly IAuthorizer _authorizer;
public FrontEndFilter(IAuthorizer authorizer) {
_authorizer = authorizer;
T = NullLocalizer.Instance;
}
public Localizer T { get; set; }
public void OnAuthorization(AuthorizationContext filterContext) {
var isAuthPage = (filterContext.ActionDescriptor.ActionName == "LogOn"
|| filterContext.ActionDescriptor.ActionName == "ChangePassword"
|| filterContext.ActionDescriptor.ActionName == "AccessDenied"
|| filterContext.ActionDescriptor.ActionName == "Register"
|| filterContext.ActionDescriptor.ActionName == "RequestLostPassword")
&& filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Account";
if (!AdminFilter.IsApplied(filterContext.RequestContext) && !isAuthPage && !_authorizer.Authorize(StandardPermissions.AccessFrontEnd)) {
filterContext.Result = new HttpUnauthorizedResult();
}
}
}
}

1
src/Orchard/Orchard.Framework.csproj
View File

@@ -253,6 +253,7 @@
<Compile Include="Recipes\Services\IRecipeScheduler.cs" />
<Compile Include="Recipes\Services\IRecipeStepExecutor.cs" />
<Compile Include="Recipes\Services\IRecipeStepQueue.cs" />
<Compile Include="Security\AlwaysAccessibleAttribute.cs" />
<Compile Include="Security\IEncryptionService.cs" />
<Compile Include="Security\CurrentUserWorkContext.cs" />
<Compile Include="Security\Providers\DefaultEncryptionService.cs" />

10
src/Orchard/Security/AlwaysAccessibleAttribute.cs Normal file
View File

@@ -0,0 +1,10 @@
using System;
namespace Orchard.Security {
/// <summary>
/// Applied on a Controller or an Action, will prevent any action from being filtered by AccessFrontEnd permssion
/// </summary>
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class AlwaysAccessibleAttribute : Attribute {
}
}

20
src/Orchard/Security/SecurityFilter.cs
View File

@@ -1,17 +1,31 @@
using System.Web.Mvc;
using System.Linq;
using System.Web.Mvc;
using JetBrains.Annotations;
using Orchard.Logging;
using Orchard.Mvc.Filters;
using Orchard.UI.Admin;
namespace Orchard.Security {
[UsedImplicitly]
public class SecurityFilter : FilterProvider, IExceptionFilter {
public SecurityFilter() {
public class SecurityFilter : FilterProvider, IExceptionFilter, IAuthorizationFilter {
private readonly IAuthorizer _authorizer;
public SecurityFilter(IAuthorizer authorizer) {
_authorizer = authorizer;
Logger = NullLogger.Instance;
}
public ILogger Logger { get; set; }
public void OnAuthorization(AuthorizationContext filterContext) {
var accessFrontEnd = filterContext.ActionDescriptor.GetCustomAttributes(typeof (AlwaysAccessibleAttribute), true).Any();
if (!AdminFilter.IsApplied(filterContext.RequestContext) && !accessFrontEnd && !_authorizer.Authorize(StandardPermissions.AccessFrontEnd)) {
filterContext.Result = new HttpUnauthorizedResult();
}
}
public void OnException(ExceptionContext filterContext) {
if (!(filterContext.Exception is OrchardSecurityException))
return;

9
src/Orchard/Security/UnauthorizedException.cs
View File

@@ -1,9 +0,0 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace Orchard.Security {
public class UnauthorizedException : ApplicationException {
}
}