From 7415d6d5cce6e75b2e793f61c2a304c66972b2e1 Mon Sep 17 00:00:00 2001 From: Nicholas Mayne Date: Tue, 2 Jun 2015 11:19:00 +0100 Subject: [PATCH] Fixing issue where anon users can spam the SiteService on Content Authorization. Also changing scope of double part check. --- ...tPermissionsPartAuthorizationEventHandler.cs | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/Orchard.Web/Modules/Orchard.ContentPermissions/Security/ContentPermissionsPartAuthorizationEventHandler.cs b/src/Orchard.Web/Modules/Orchard.ContentPermissions/Security/ContentPermissionsPartAuthorizationEventHandler.cs index 415247090..a2866ac1b 100644 --- a/src/Orchard.Web/Modules/Orchard.ContentPermissions/Security/ContentPermissionsPartAuthorizationEventHandler.cs +++ b/src/Orchard.Web/Modules/Orchard.ContentPermissions/Security/ContentPermissionsPartAuthorizationEventHandler.cs @@ -23,11 +23,12 @@ namespace Orchard.ContentPermissions.Security { public void Complete(CheckAccessContext context) { - if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) - && context.User != null - && String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) { - context.Granted = true; - return; + if (context.User != null) { + var superuser = _workContextAccessor.GetContext().CurrentSite.SuperUser; + if (!string.IsNullOrEmpty(superuser) && string.Equals(context.User.UserName, superuser, StringComparison.Ordinal)) { + context.Granted = true; + return; + } } if (context.Content == null) { @@ -42,10 +43,10 @@ namespace Orchard.ContentPermissions.Security { if(commonPart != null && commonPart.Container != null) { part = commonPart.Container.As(); } - } - if (part == null || !part.Enabled) { - return; + if (part == null || !part.Enabled) { + return; + } } var hasOwnership = HasOwnership(context.User, context.Content);