From a4e824fb4a0d4d24ddb8aa6d1c5b682c67facd71 Mon Sep 17 00:00:00 2001
From: Andre Rodrigues <andrerod@microsoft.com>
Date: Fri, 10 Dec 2010 18:54:36 -0800
Subject: [PATCH] #17033: Fixing live writter and blog post admin permissions.

--HG--
branch : dev
---
 .../Controllers/BlogPostAdminController.cs    | 27 ++++----
 .../Orchard.Blogs/Services/XmlRpcHandler.cs   | 68 ++++++++++++-------
 .../Services/MembershipService.cs             |  2 +-
 3 files changed, 59 insertions(+), 38 deletions(-)

diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
index 00082f0b5..2022dd933 100644
--- a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
@@ -95,7 +95,7 @@ namespace Orchard.Blogs.Controllers {
             if (post == null)
                 return HttpNotFound();
 
-            if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, post.ContentItem, T("Couldn't edit blog post")))
+            if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, post, T("Couldn't edit blog post")))
                 return new HttpUnauthorizedResult();
 
             dynamic model = Services.ContentManager.BuildEditor(post);
@@ -124,16 +124,13 @@ namespace Orchard.Blogs.Controllers {
             if (blogPost == null)
                 return HttpNotFound();
 
-            if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, blogPost, T("Couldn't publish blog post")))
+            if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, blogPost, T("Couldn't publish blog post")))
                 return new HttpUnauthorizedResult();
 
             return EditPOST(blogId, postId, returnUrl, contentItem => Services.ContentManager.Publish(contentItem));
         }
 
         public ActionResult EditPOST(int blogId, int postId, string returnUrl, Action<ContentItem> conditionallyPublish) {
-            if (!Services.Authorizer.Authorize(Permissions.EditOwnBlogPost, T("Couldn't edit blog post")))
-                return new HttpUnauthorizedResult();
-
             var blog = _blogService.Get(blogId, VersionOptions.Latest);
             if (blog == null)
                 return HttpNotFound();
@@ -143,6 +140,9 @@ namespace Orchard.Blogs.Controllers {
             if (blogPost == null)
                 return HttpNotFound();
 
+            if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, blogPost, T("Couldn't edit blog post")))
+                return new HttpUnauthorizedResult();
+
             // Validate form input
             var model = Services.ContentManager.UpdateEditor(blogPost, this);
             if (!ModelState.IsValid) {
@@ -199,8 +199,6 @@ namespace Orchard.Blogs.Controllers {
         [ValidateAntiForgeryTokenOrchard]
         public ActionResult Delete(int blogId, int postId) {
             //refactoring: test PublishBlogPost/PublishOthersBlogPost in addition if published
-            if (!Services.Authorizer.Authorize(Permissions.DeleteOwnBlogPost, T("Couldn't delete blog post")))
-                return new HttpUnauthorizedResult();
 
             var blog = _blogService.Get(blogId, VersionOptions.Latest);
             if (blog == null)
@@ -210,6 +208,9 @@ namespace Orchard.Blogs.Controllers {
             if (post == null)
                 return HttpNotFound();
 
+            if (!Services.Authorizer.Authorize(Permissions.DeleteOthersBlogPost, post, T("Couldn't delete blog post")))
+                return new HttpUnauthorizedResult();
+
             _blogPostService.Delete(post);
             Services.Notifier.Information(T("Blog post was successfully deleted"));
 
@@ -218,9 +219,6 @@ namespace Orchard.Blogs.Controllers {
 
         [ValidateAntiForgeryTokenOrchard]
         public ActionResult Publish(int blogId, int postId) {
-            if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, T("Couldn't publish blog post")))
-                return new HttpUnauthorizedResult();
-
             var blog = _blogService.Get(blogId, VersionOptions.Latest);
             if (blog == null)
                 return HttpNotFound();
@@ -229,6 +227,9 @@ namespace Orchard.Blogs.Controllers {
             if (post == null)
                 return HttpNotFound();
 
+            if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, post, T("Couldn't publish blog post")))
+                return new HttpUnauthorizedResult();
+
             _blogPostService.Publish(post);
             Services.Notifier.Information(T("Blog post successfully published."));
 
@@ -237,9 +238,6 @@ namespace Orchard.Blogs.Controllers {
 
         [ValidateAntiForgeryTokenOrchard]
         public ActionResult Unpublish(int blogId, int postId) {
-            if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, T("Couldn't unpublish blog post")))
-                return new HttpUnauthorizedResult();
-
             var blog = _blogService.Get(blogId, VersionOptions.Latest);
             if (blog == null)
                 return HttpNotFound();
@@ -248,6 +246,9 @@ namespace Orchard.Blogs.Controllers {
             if (post == null)
                 return HttpNotFound();
 
+            if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, post, T("Couldn't unpublish blog post")))
+                return new HttpUnauthorizedResult();
+
             _blogPostService.Unpublish(post);
             Services.Notifier.Information(T("Blog post successfully unpublished."));
 
diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs
index 616086921..01190a656 100644
--- a/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs
@@ -13,6 +13,7 @@ using Orchard.Core.Routable.Services;
 using Orchard.Core.XmlRpc;
 using Orchard.Core.XmlRpc.Models;
 using Orchard.Environment.Extensions;
+using Orchard.Localization;
 using Orchard.Logging;
 using Orchard.Mvc.Extensions;
 using Orchard.Security;
@@ -41,9 +42,11 @@ namespace Orchard.Blogs.Services {
             _routableService = routableService;
             _routeCollection = routeCollection;
             Logger = NullLogger.Instance;
+            T = NullLocalizer.Instance;
         }
 
         public ILogger Logger { get; set; }
+        public Localizer T { get; set; }
 
         public void SetCapabilities(XElement options) {
             const string manifestUri = "http://schemas.microsoft.com/wlw/manifest/weblog";
@@ -122,17 +125,20 @@ namespace Orchard.Blogs.Services {
             string userName,
             string password) {
 
-            var user = _membershipService.ValidateUser(userName, password);
-            _authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, null);
+            IUser user = ValidateUser(userName, password);
 
-            var array = new XRpcArray();
-            foreach (var blog in _blogService.Get()) {
-                var thisBlog = blog;
+            // User needs to at least have permission to edit its own blog posts to access the service
+            _authorizationService.CheckAccess(Permissions.EditOwnBlogPost, user, null);
+
+            XRpcArray array = new XRpcArray();
+            foreach (BlogPart blog in _blogService.Get()) {
+                BlogPart blogPart = blog;
                 array.Add(new XRpcStruct()
-                              .Set("url", urlHelper.AbsoluteAction(() => urlHelper.Blog(thisBlog)))
-                              .Set("blogid", blog.Id)
-                              .Set("blogName", blog.Name));
+                                .Set("url", urlHelper.AbsoluteAction(() => urlHelper.Blog(blogPart)))
+                                .Set("blogid", blog.Id)
+                                .Set("blogName", blog.Name));
             }
+
             return array;
         }
 
@@ -143,12 +149,15 @@ namespace Orchard.Blogs.Services {
             string password,
             int numberOfPosts) {
 
-            var user = _membershipService.ValidateUser(userName, password);
-            _authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, null);
+            IUser user = ValidateUser(userName, password);
 
-            var blog = _contentManager.Get<BlogPart>(Convert.ToInt32(blogId));
-            if (blog == null)
+            // User needs to at least have permission to edit its own blog posts to access the service
+            _authorizationService.CheckAccess(Permissions.EditOwnBlogPost, user, null);
+
+            BlogPart blog = _contentManager.Get<BlogPart>(Convert.ToInt32(blogId));
+            if (blog == null) {
                 throw new ArgumentException();
+            }
 
             var array = new XRpcArray();
             foreach (var blogPost in _blogPostService.Get(blog, 0, numberOfPosts, VersionOptions.Latest)) {
@@ -165,10 +174,12 @@ namespace Orchard.Blogs.Services {
             bool publish,
             IEnumerable<IXmlRpcDriver> drivers) {
 
-            var user = _membershipService.ValidateUser(userName, password);
-            _authorizationService.CheckAccess(publish ? Permissions.PublishOthersBlogPost : Permissions.EditOthersBlogPost, user, null);
+            IUser user = ValidateUser(userName, password);
 
-            var blog = _contentManager.Get<BlogPart>(Convert.ToInt32(blogId));
+            // User needs permission to edit or publish its own blog posts
+            _authorizationService.CheckAccess(publish ? Permissions.PublishOwnBlogPost : Permissions.EditOwnBlogPost, user, null);
+
+            BlogPart blog = _contentManager.Get<BlogPart>(Convert.ToInt32(blogId));
             if (blog == null)
                 throw new ArgumentException();
 
@@ -215,13 +226,13 @@ namespace Orchard.Blogs.Services {
             string password,
             IEnumerable<IXmlRpcDriver> drivers) {
 
-            var user = _membershipService.ValidateUser(userName, password);
-            _authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, null);
-
+            IUser user = ValidateUser(userName, password);
             var blogPost = _blogPostService.Get(postId, VersionOptions.Latest);
             if (blogPost == null)
                 throw new ArgumentException();
 
+            _authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, blogPost);
+
             var postStruct = CreateBlogStruct(blogPost, urlHelper);
 
             foreach (var driver in drivers)
@@ -231,13 +242,13 @@ namespace Orchard.Blogs.Services {
         }
 
         private bool MetaWeblogEditPost(int postId, string userName, string password, XRpcStruct content, bool publish, IEnumerable<IXmlRpcDriver> drivers) {
-            var user = _membershipService.ValidateUser(userName, password);
-            _authorizationService.CheckAccess(publish ? Permissions.PublishOthersBlogPost : Permissions.EditOthersBlogPost, user, null);
-
+            IUser user = ValidateUser(userName, password);
             var blogPost = _blogPostService.Get(postId, VersionOptions.DraftRequired);
             if (blogPost == null)
                 throw new ArgumentException();
 
+            _authorizationService.CheckAccess(publish ? Permissions.PublishOthersBlogPost : Permissions.EditOthersBlogPost, user, blogPost);
+
             var title = content.Optional<string>("title");
             var description = content.Optional<string>("description");
             var slug = content.Optional<string>("wp_slug");
@@ -256,13 +267,13 @@ namespace Orchard.Blogs.Services {
         }
 
         private bool MetaWeblogDeletePost(string appkey, string postId, string userName, string password, bool publish, IEnumerable<IXmlRpcDriver> drivers) {
-            var user = _membershipService.ValidateUser(userName, password);
-            _authorizationService.CheckAccess(Permissions.DeleteOthersBlogPost, user, null);
-
+            IUser user = ValidateUser(userName, password);
             var blogPost = _blogPostService.Get(Convert.ToInt32(postId), VersionOptions.Latest);
             if (blogPost == null)
                 throw new ArgumentException();
 
+            _authorizationService.CheckAccess(Permissions.DeleteOthersBlogPost, user, blogPost);
+
             foreach (var driver in drivers)
                 driver.Process(blogPost.Id);
 
@@ -270,6 +281,15 @@ namespace Orchard.Blogs.Services {
             return true;
         }
 
+        private IUser ValidateUser(string userName, string password) {
+            IUser user = _membershipService.ValidateUser(userName, password);
+            if (user == null) {
+                throw new OrchardCoreException(T("The username or e-mail or password provided is incorrect."));
+            }
+
+            return user;
+        }
+
         private static XRpcStruct CreateBlogStruct(BlogPostPart blogPostPart, UrlHelper urlHelper) {
             var url = urlHelper.AbsoluteAction(() => urlHelper.BlogPost(blogPostPart));
             return new XRpcStruct()
diff --git a/src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs b/src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs
index 2dda60990..9f48eb4e3 100644
--- a/src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs
+++ b/src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs
@@ -107,7 +107,7 @@ namespace Orchard.Users.Services {
 
             var user = _orchardServices.ContentManager.Query<UserPart, UserPartRecord>().Where(u => u.NormalizedUserName == lowerName).List().FirstOrDefault();
 
-            if(user == null)
+            if (user == null)
                 user = _orchardServices.ContentManager.Query<UserPart, UserPartRecord>().Where(u => u.Email == lowerName).List().FirstOrDefault();
 
             if ( user == null || ValidatePassword(user.As<UserPart>().Record, password) == false )