lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-10-15 03:25:23 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

#17033: Fixing live writter and blog post admin permissions.

Browse Source 
--HG--
branch : dev
This commit is contained in:
Andre Rodrigues
2010-12-10 18:54:36 -08:00
parent 99979cf319
commit a4e824fb4a
3 changed files with 59 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
View File

@@ -95,7 +95,7 @@ namespace Orchard.Blogs.Controllers {
if (post == null)
return HttpNotFound();
if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, post.ContentItem, T("Couldn't edit blog post")))
if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, post, T("Couldn't edit blog post")))
return new HttpUnauthorizedResult();
dynamic model = Services.ContentManager.BuildEditor(post);
@@ -124,16 +124,13 @@ namespace Orchard.Blogs.Controllers {
if (blogPost == null)
return HttpNotFound();
if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, blogPost, T("Couldn't publish blog post")))
if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, blogPost, T("Couldn't publish blog post")))
return new HttpUnauthorizedResult();
return EditPOST(blogId, postId, returnUrl, contentItem => Services.ContentManager.Publish(contentItem));
}
public ActionResult EditPOST(int blogId, int postId, string returnUrl, Action<ContentItem> conditionallyPublish) {
if (!Services.Authorizer.Authorize(Permissions.EditOwnBlogPost, T("Couldn't edit blog post")))
return new HttpUnauthorizedResult();
var blog = _blogService.Get(blogId, VersionOptions.Latest);
if (blog == null)
return HttpNotFound();
@@ -143,6 +140,9 @@ namespace Orchard.Blogs.Controllers {
if (blogPost == null)
return HttpNotFound();
if (!Services.Authorizer.Authorize(Permissions.EditOthersBlogPost, blogPost, T("Couldn't edit blog post")))
return new HttpUnauthorizedResult();
// Validate form input
var model = Services.ContentManager.UpdateEditor(blogPost, this);
if (!ModelState.IsValid) {
@@ -199,8 +199,6 @@ namespace Orchard.Blogs.Controllers {
[ValidateAntiForgeryTokenOrchard]
public ActionResult Delete(int blogId, int postId) {
//refactoring: test PublishBlogPost/PublishOthersBlogPost in addition if published
if (!Services.Authorizer.Authorize(Permissions.DeleteOwnBlogPost, T("Couldn't delete blog post")))
return new HttpUnauthorizedResult();
var blog = _blogService.Get(blogId, VersionOptions.Latest);
if (blog == null)
@@ -210,6 +208,9 @@ namespace Orchard.Blogs.Controllers {
if (post == null)
return HttpNotFound();
if (!Services.Authorizer.Authorize(Permissions.DeleteOthersBlogPost, post, T("Couldn't delete blog post")))
return new HttpUnauthorizedResult();
_blogPostService.Delete(post);
Services.Notifier.Information(T("Blog post was successfully deleted"));
@@ -218,9 +219,6 @@ namespace Orchard.Blogs.Controllers {
[ValidateAntiForgeryTokenOrchard]
public ActionResult Publish(int blogId, int postId) {
if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, T("Couldn't publish blog post")))
return new HttpUnauthorizedResult();
var blog = _blogService.Get(blogId, VersionOptions.Latest);
if (blog == null)
return HttpNotFound();
@@ -229,6 +227,9 @@ namespace Orchard.Blogs.Controllers {
if (post == null)
return HttpNotFound();
if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, post, T("Couldn't publish blog post")))
return new HttpUnauthorizedResult();
_blogPostService.Publish(post);
Services.Notifier.Information(T("Blog post successfully published."));
@@ -237,9 +238,6 @@ namespace Orchard.Blogs.Controllers {
[ValidateAntiForgeryTokenOrchard]
public ActionResult Unpublish(int blogId, int postId) {
if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, T("Couldn't unpublish blog post")))
return new HttpUnauthorizedResult();
var blog = _blogService.Get(blogId, VersionOptions.Latest);
if (blog == null)
return HttpNotFound();
@@ -248,6 +246,9 @@ namespace Orchard.Blogs.Controllers {
if (post == null)
return HttpNotFound();
if (!Services.Authorizer.Authorize(Permissions.PublishOthersBlogPost, post, T("Couldn't unpublish blog post")))
return new HttpUnauthorizedResult();
_blogPostService.Unpublish(post);
Services.Notifier.Information(T("Blog post successfully unpublished."));

68
src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs
View File

@@ -13,6 +13,7 @@ using Orchard.Core.Routable.Services;
using Orchard.Core.XmlRpc;
using Orchard.Core.XmlRpc.Models;
using Orchard.Environment.Extensions;
using Orchard.Localization;
using Orchard.Logging;
using Orchard.Mvc.Extensions;
using Orchard.Security;
@@ -41,9 +42,11 @@ namespace Orchard.Blogs.Services {
_routableService = routableService;
_routeCollection = routeCollection;
Logger = NullLogger.Instance;
T = NullLocalizer.Instance;
}
public ILogger Logger { get; set; }
public Localizer T { get; set; }
public void SetCapabilities(XElement options) {
const string manifestUri = "http://schemas.microsoft.com/wlw/manifest/weblog";
@@ -122,17 +125,20 @@ namespace Orchard.Blogs.Services {
string userName,
string password) {
var user = _membershipService.ValidateUser(userName, password);
_authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, null);
IUser user = ValidateUser(userName, password);
var array = new XRpcArray();
foreach (var blog in _blogService.Get()) {
var thisBlog = blog;
// User needs to at least have permission to edit its own blog posts to access the service
_authorizationService.CheckAccess(Permissions.EditOwnBlogPost, user, null);
XRpcArray array = new XRpcArray();
foreach (BlogPart blog in _blogService.Get()) {
BlogPart blogPart = blog;
array.Add(new XRpcStruct()
.Set("url", urlHelper.AbsoluteAction(() => urlHelper.Blog(thisBlog)))
.Set("blogid", blog.Id)
.Set("blogName", blog.Name));
.Set("url", urlHelper.AbsoluteAction(() => urlHelper.Blog(blogPart)))
.Set("blogid", blog.Id)
.Set("blogName", blog.Name));
}
return array;
}
@@ -143,12 +149,15 @@ namespace Orchard.Blogs.Services {
string password,
int numberOfPosts) {
var user = _membershipService.ValidateUser(userName, password);
_authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, null);
IUser user = ValidateUser(userName, password);
var blog = _contentManager.Get<BlogPart>(Convert.ToInt32(blogId));
if (blog == null)
// User needs to at least have permission to edit its own blog posts to access the service
_authorizationService.CheckAccess(Permissions.EditOwnBlogPost, user, null);
BlogPart blog = _contentManager.Get<BlogPart>(Convert.ToInt32(blogId));
if (blog == null) {
throw new ArgumentException();
}
var array = new XRpcArray();
foreach (var blogPost in _blogPostService.Get(blog, 0, numberOfPosts, VersionOptions.Latest)) {
@@ -165,10 +174,12 @@ namespace Orchard.Blogs.Services {
bool publish,
IEnumerable<IXmlRpcDriver> drivers) {
var user = _membershipService.ValidateUser(userName, password);
_authorizationService.CheckAccess(publish ? Permissions.PublishOthersBlogPost : Permissions.EditOthersBlogPost, user, null);
IUser user = ValidateUser(userName, password);
var blog = _contentManager.Get<BlogPart>(Convert.ToInt32(blogId));
// User needs permission to edit or publish its own blog posts
_authorizationService.CheckAccess(publish ? Permissions.PublishOwnBlogPost : Permissions.EditOwnBlogPost, user, null);
BlogPart blog = _contentManager.Get<BlogPart>(Convert.ToInt32(blogId));
if (blog == null)
throw new ArgumentException();
@@ -215,13 +226,13 @@ namespace Orchard.Blogs.Services {
string password,
IEnumerable<IXmlRpcDriver> drivers) {
var user = _membershipService.ValidateUser(userName, password);
_authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, null);
IUser user = ValidateUser(userName, password);
var blogPost = _blogPostService.Get(postId, VersionOptions.Latest);
if (blogPost == null)
throw new ArgumentException();
_authorizationService.CheckAccess(Permissions.EditOthersBlogPost, user, blogPost);
var postStruct = CreateBlogStruct(blogPost, urlHelper);
foreach (var driver in drivers)
@@ -231,13 +242,13 @@ namespace Orchard.Blogs.Services {
}
private bool MetaWeblogEditPost(int postId, string userName, string password, XRpcStruct content, bool publish, IEnumerable<IXmlRpcDriver> drivers) {
var user = _membershipService.ValidateUser(userName, password);
_authorizationService.CheckAccess(publish ? Permissions.PublishOthersBlogPost : Permissions.EditOthersBlogPost, user, null);
IUser user = ValidateUser(userName, password);
var blogPost = _blogPostService.Get(postId, VersionOptions.DraftRequired);
if (blogPost == null)
throw new ArgumentException();
_authorizationService.CheckAccess(publish ? Permissions.PublishOthersBlogPost : Permissions.EditOthersBlogPost, user, blogPost);
var title = content.Optional<string>("title");
var description = content.Optional<string>("description");
var slug = content.Optional<string>("wp_slug");
@@ -256,13 +267,13 @@ namespace Orchard.Blogs.Services {
}
private bool MetaWeblogDeletePost(string appkey, string postId, string userName, string password, bool publish, IEnumerable<IXmlRpcDriver> drivers) {
var user = _membershipService.ValidateUser(userName, password);
_authorizationService.CheckAccess(Permissions.DeleteOthersBlogPost, user, null);
IUser user = ValidateUser(userName, password);
var blogPost = _blogPostService.Get(Convert.ToInt32(postId), VersionOptions.Latest);
if (blogPost == null)
throw new ArgumentException();
_authorizationService.CheckAccess(Permissions.DeleteOthersBlogPost, user, blogPost);
foreach (var driver in drivers)
driver.Process(blogPost.Id);
@@ -270,6 +281,15 @@ namespace Orchard.Blogs.Services {
return true;
}
private IUser ValidateUser(string userName, string password) {
IUser user = _membershipService.ValidateUser(userName, password);
if (user == null) {
throw new OrchardCoreException(T("The username or e-mail or password provided is incorrect."));
}
return user;
}
private static XRpcStruct CreateBlogStruct(BlogPostPart blogPostPart, UrlHelper urlHelper) {
var url = urlHelper.AbsoluteAction(() => urlHelper.BlogPost(blogPostPart));
return new XRpcStruct()

2
src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs
View File

@@ -107,7 +107,7 @@ namespace Orchard.Users.Services {
var user = _orchardServices.ContentManager.Query<UserPart, UserPartRecord>().Where(u => u.NormalizedUserName == lowerName).List().FirstOrDefault();
if(user == null)
if (user == null)
user = _orchardServices.ContentManager.Query<UserPart, UserPartRecord>().Where(u => u.Email == lowerName).List().FirstOrDefault();
if ( user == null || ValidatePassword(user.As<UserPart>().Record, password) == false )