16975 ItemController.Preview action in contents module should do permission demand for edit content

--HG--
branch : dev

src/Orchard.Web/Core/Contents/Controllers/ItemController.cs

@@ -1,6 +1,7 @@
 using System.Web.Mvc;
 using Orchard.ContentManagement;
 using Orchard.DisplayManagement;
+using Orchard.Localization;
 using Orchard.Themes;
 
 namespace Orchard.Core.Contents.Controllers {
@@ -8,12 +9,16 @@ namespace Orchard.Core.Contents.Controllers {
     public class ItemController : Controller {
         private readonly IContentManager _contentManager;
 
-        public ItemController(IContentManager contentManager, IShapeFactory shapeFactory) {
+        public ItemController(IContentManager contentManager, IShapeFactory shapeFactory, IOrchardServices services) {
             _contentManager = contentManager;
             Shape = shapeFactory;
+            Services = services;
+            T = NullLocalizer.Instance;
         }
 
         dynamic Shape { get; set; }
+        public IOrchardServices Services { get; private set; }
+        public Localizer T { get; set; }
  
         // /Contents/Item/Display/72
         public ActionResult Display(int id) {
@@ -31,6 +36,10 @@ namespace Orchard.Core.Contents.Controllers {
                 versionOptions = VersionOptions.Number((int)version);
 
             var contentItem = _contentManager.Get(id, versionOptions);
+
+            if (!Services.Authorizer.Authorize(Permissions.EditOthersContent, contentItem, T("Cannot edit content")))
+                return new HttpUnauthorizedResult();
+
             dynamic model = _contentManager.BuildDisplay(contentItem);
             // Casting to avoid invalid (under medium trust) reflection over the protected View method and force a static invocation.
             return View("Display", (object)model);