- Blogs: Some permission checks for recently added operations

--HG-- extra : convert_revision : svn%3A5ff7c347-ad56-4c35-b696-ccb81de16e03/trunk%4043120
2025-09-24 21:43:37 +08:00 · 2009-12-03 22:53:49 +00:00
parent 807facdb91
commit a61f5a5dd4
3 changed files with 25 additions and 2 deletions
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Controllers/BlogController.cs
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Controllers/BlogController.cs
@@ -9,6 +9,7 @@ using Orchard.Localization;
 using Orchard.Models;
 using Orchard.Models.Driver;
 using Orchard.Mvc.Results;
+using Orchard.Security;
 using Orchard.UI.Notify;

 namespace Orchard.Blogs.Controllers {
@@ -16,13 +17,17 @@ namespace Orchard.Blogs.Controllers {
    public class BlogController : Controller, IUpdateModel {
        private readonly ISessionLocator _sessionLocator;
        private readonly IContentManager _contentManager;
+        private readonly IAuthorizer _authorizer;
        private readonly INotifier _notifier;
        private readonly IBlogService _blogService;
        private readonly IBlogPostService _blogPostService;

-        public BlogController(ISessionLocator sessionLocator, IContentManager contentManager, INotifier notifier, IBlogService blogService, IBlogPostService blogPostService) {
+        public BlogController(ISessionLocator sessionLocator, IContentManager contentManager, 
+                              IAuthorizer authorizer, INotifier notifier, 
+                              IBlogService blogService, IBlogPostService blogPostService) {
            _sessionLocator = sessionLocator;
            _contentManager = contentManager;
+            _authorizer = authorizer;
            _notifier = notifier;
            _blogService = blogService;
            _blogPostService = blogPostService;
@@ -70,6 +75,9 @@ namespace Orchard.Blogs.Controllers {

        [HttpPost]
        public ActionResult Create(CreateBlogViewModel model) {
+            if (!_authorizer.Authorize(Permissions.CreateBlog, T("Couldn't create blog")))
+                return new HttpUnauthorizedResult();
+
            if (!ModelState.IsValid)
                return View(model);

@@ -97,6 +105,9 @@ namespace Orchard.Blogs.Controllers {

        [HttpPost]
        public ActionResult Edit(string blogSlug, FormCollection input) {
+            if (!_authorizer.Authorize(Permissions.ModifyBlog, T("Couldn't edit blog")))
+                return new HttpUnauthorizedResult();
+
            //TODO: (erikpo) Move looking up the current blog up into a modelbinder
            Blog blog = _blogService.Get(blogSlug);

@@ -117,6 +128,9 @@ namespace Orchard.Blogs.Controllers {

        //[HttpPost] <- todo: (heskew) make all add/edit/remove POST only and verify the AntiForgeryToken
        public ActionResult Delete(string blogSlug) {
+            if (!_authorizer.Authorize(Permissions.DeleteBlog, T("Couldn't delete blog")))
+                return new HttpUnauthorizedResult();
+
            //TODO: (erikpo) Move looking up the current blog up into a modelbinder
            Blog blog = _blogService.Get(blogSlug);

--- a/src/Orchard.Web/Packages/Orchard.Blogs/Controllers/BlogPostController.cs
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Controllers/BlogPostController.cs
@@ -149,6 +149,9 @@ namespace Orchard.Blogs.Controllers {

        [HttpPost]
        public ActionResult Delete(string blogSlug, string postSlug) {
+            if (!_authorizer.Authorize(Permissions.DeletePost, T("Couldn't delete blog post")))
+                return new HttpUnauthorizedResult();
+
            //TODO: (erikpo) Move looking up the current blog up into a modelbinder
            Blog blog = _blogService.Get(blogSlug);

--- a/src/Orchard.Web/Packages/Orchard.Blogs/Permissions.cs
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Permissions.cs
@@ -11,6 +11,9 @@ namespace Orchard.Blogs {
        public static readonly Permission PublishPost = new Permission { Description = "Publishing a Blog Post", Name = "PublishPost" };
        public static readonly Permission UnpublishPost = new Permission { Description = "Unpublishing a Blog Post", Name = "UnpublishPost" };
        public static readonly Permission SchedulePost = new Permission { Description = "Scheduling a Blog Post", Name = "SchedulePost" };
+        public static readonly Permission CreateBlog = new Permission { Description = "Creating a Blog", Name = "CreateBlog" };
+        public static readonly Permission ModifyBlog = new Permission { Description = "Mofifying a Blog", Name = "ModifyBlog" };
+        public static readonly Permission DeleteBlog = new Permission { Description = "Deleting a Blog", Name = "DeleteBlog" };

        public string PackageName {
            get {
@@ -27,7 +30,10 @@ namespace Orchard.Blogs {
                DeletePost,
                PublishPost,
                UnpublishPost,
-                SchedulePost
+                SchedulePost,
+                CreateBlog,
+                ModifyBlog,
+                DeleteBlog
            };
        }
    }