lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-10-15 19:54:57 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Issue 21244 - Display warning when insecure custom forms are created

Browse Source
This commit is contained in:
myates
2015-09-11 17:52:19 +10:00
parent 47133604c3
commit a28b966685
1 changed files with 23 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/Orchard.Web/Modules/Orchard.CustomForms/Drivers/CustomFormPartDriver.cs
View File

@@ -8,19 +8,28 @@ using Orchard.CustomForms.Models;
using Orchard.CustomForms.ViewModels;
using Orchard.ContentManagement.Handlers;
using System;
using Orchard.Core.Contents.Settings;
using Orchard.Security;
using Orchard.Localization;
namespace Orchard.CustomForms.Drivers {
public class CustomFormPartDriver : ContentPartDriver<CustomFormPart> {
private readonly IContentDefinitionManager _contentDefinitionManager;
private readonly IOrchardServices _orchardServices;
private readonly IAuthorizationService _authService;
public CustomFormPartDriver(
IContentDefinitionManager contentDefinitionManager,
IOrchardServices orchardServices) {
IOrchardServices orchardServices,
IAuthorizationService authService) {
_contentDefinitionManager = contentDefinitionManager;
_orchardServices = orchardServices;
_authService = authService;
T = NullLocalizer.Instance;
}
public Localizer T { get; set; }
protected override DriverResult Display(CustomFormPart part, string displayType, dynamic shapeHelper) {
// this method is used by the widget to render the form when it is displayed
@@ -55,6 +64,19 @@ namespace Orchard.CustomForms.Drivers {
};
updater.TryUpdateModel(viewModel, Prefix, null, null);
// Warn if the custom form is set to save a content item that is viewable by anonymous users (publicly accessible)
if (viewModel.CustomFormPart.SaveContentItem) {
// If it's draftable then don't display the warning because the generated content items won't be publicly accessible
var typeDefinition = _contentDefinitionManager.ListTypeDefinitions().Where(x => String.Equals(x.Name, viewModel.CustomFormPart.ContentType, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
if (typeDefinition != null && !typeDefinition.Settings.GetModel<ContentTypeSettings>().Draftable) {
// Create a dummy content item of the specified type to check permissions against
if (_authService.TryCheckAccess(Orchard.Core.Contents.Permissions.ViewContent, null, _orchardServices.ContentManager.New(viewModel.CustomFormPart.ContentType))) {
_orchardServices.Notifier.Add(UI.Notify.NotifyType.Warning, T("Your custom form will save data to content items that are publicly accessible."));
}
}
}
return Editor(part, shapeHelper);
}