From e44facf4ab2aea954075eaf9b4bb5c9bab7cb981 Mon Sep 17 00:00:00 2001 From: Louis DeJardin Date: Wed, 15 Dec 2010 22:22:58 -0800 Subject: [PATCH] Changing authorize calls to avoid demanding "Own" variations The demand is adjusted if the user is the owner - but the "Own" variation is never used directly --HG-- branch : 1.x --- .../Orchard.Blogs/Controllers/BlogPostAdminController.cs | 6 +++--- .../Modules/Orchard.Blogs/Services/XmlRpcHandler.cs | 9 +++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs index 556a3c151..423895fe5 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs @@ -32,7 +32,7 @@ namespace Orchard.Blogs.Controllers { public Localizer T { get; set; } public ActionResult Create() { - if (!Services.Authorizer.Authorize(Permissions.EditOwnBlogPost, T("Not allowed to create blog post"))) + if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, T("Not allowed to create blog post"))) return new HttpUnauthorizedResult(); var blogPost = Services.ContentManager.New("BlogPost"); @@ -56,14 +56,14 @@ namespace Orchard.Blogs.Controllers { [HttpPost, ActionName("Create")] [FormValueRequired("submit.Publish")] public ActionResult CreateAndPublishPOST() { - if (!Services.Authorizer.Authorize(Permissions.PublishOwnBlogPost, T("Couldn't create blog post"))) + if (!Services.Authorizer.Authorize(Permissions.PublishBlogPost, T("Couldn't create blog post"))) return new HttpUnauthorizedResult(); return CreatePOST(contentItem => Services.ContentManager.Publish(contentItem)); } public ActionResult CreatePOST(Action conditionallyPublish) { - if (!Services.Authorizer.Authorize(Permissions.EditOwnBlogPost, T("Couldn't create blog post"))) + if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, T("Couldn't create blog post"))) return new HttpUnauthorizedResult(); var blogPost = Services.ContentManager.New("BlogPost"); diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs b/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs index 4ab345b21..dc41db9a3 100644 --- a/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs +++ b/src/Orchard.Web/Modules/Orchard.Blogs/Services/XmlRpcHandler.cs @@ -128,11 +128,12 @@ namespace Orchard.Blogs.Services { IUser user = ValidateUser(userName, password); - // User needs to at least have permission to edit its own blog posts to access the service - _authorizationService.CheckAccess(Permissions.EditOwnBlogPost, user, null); XRpcArray array = new XRpcArray(); foreach (BlogPart blog in _blogService.Get()) { + // User needs to at least have permission to edit its own blog posts to access the service + _authorizationService.CheckAccess(Permissions.EditBlogPost, user, blog); + BlogPart blogPart = blog; array.Add(new XRpcStruct() .Set("url", urlHelper.AbsoluteAction(() => urlHelper.Blog(blogPart))) @@ -154,7 +155,7 @@ namespace Orchard.Blogs.Services { IUser user = ValidateUser(userName, password); // User needs to at least have permission to edit its own blog posts to access the service - _authorizationService.CheckAccess(Permissions.EditOwnBlogPost, user, null); + _authorizationService.CheckAccess(Permissions.EditBlogPost, user, null); BlogPart blog = _contentManager.Get(Convert.ToInt32(blogId)); if (blog == null) { @@ -184,7 +185,7 @@ namespace Orchard.Blogs.Services { IUser user = ValidateUser(userName, password); // User needs permission to edit or publish its own blog posts - _authorizationService.CheckAccess(publish ? Permissions.PublishOwnBlogPost : Permissions.EditOwnBlogPost, user, null); + _authorizationService.CheckAccess(publish ? Permissions.PublishBlogPost : Permissions.EditBlogPost, user, null); BlogPart blog = _contentManager.Get(Convert.ToInt32(blogId)); if (blog == null)