lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2026-02-09 09:16:41 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fixing issue where anon users can spam the SiteService on Content Authorization. Also changing scope of double part check.

Browse Source
This commit is contained in:
Nicholas Mayne
2015-06-02 11:19:00 +01:00
parent 1e83068b8c
commit 7415d6d5cc
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/Orchard.Web/Modules/Orchard.ContentPermissions/Security/ContentPermissionsPartAuthorizationEventHandler.cs
View File

@@ -23,11 +23,12 @@ namespace Orchard.ContentPermissions.Security {
public void Complete(CheckAccessContext context) {
if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser)
&& context.User != null
&& String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) {
context.Granted = true;
return;
if (context.User != null) {
var superuser = _workContextAccessor.GetContext().CurrentSite.SuperUser;
if (!string.IsNullOrEmpty(superuser) && string.Equals(context.User.UserName, superuser, StringComparison.Ordinal)) {
context.Granted = true;
return;
}
}
if (context.Content == null) {
@@ -42,10 +43,10 @@ namespace Orchard.ContentPermissions.Security {
if(commonPart != null && commonPart.Container != null) {
part = commonPart.Container.As<ContentPermissionsPart>();
}
}
if (part == null || !part.Enabled) {
return;
if (part == null || !part.Enabled) {
return;
}
}
var hasOwnership = HasOwnership(context.User, context.Content);