#16387: More granular permissions for blogs

Adding a new Manage Own Blog permission. Preventing a user without Manage Blog Post to create a post on a blog he is not the owner. Checking for ownership on the Post or on the Blog. Work Item: 16387 --HG-- branch : 1.x
2026-02-09 09:16:41 +08:00 · 2011-11-09 17:30:39 -08:00
parent 33e6b6a274
commit ec97e95221
4 changed files with 34 additions and 11 deletions
--- a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogAdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogAdminController.cs
@@ -87,10 +87,11 @@ namespace Orchard.Blogs.Controllers {
        }

        public ActionResult Edit(int blogId) {
-            if (!Services.Authorizer.Authorize(Permissions.ManageBlogs, T("Not allowed to edit blog")))
+            var blog = _blogService.Get(blogId, VersionOptions.Latest);
+
+            if (!Services.Authorizer.Authorize(Permissions.ManageBlogs, blog, T("Not allowed to edit blog")))
                return new HttpUnauthorizedResult();

-            var blog = _blogService.Get(blogId, VersionOptions.Latest);
            if (blog == null)
                return HttpNotFound();

@@ -119,10 +120,11 @@ namespace Orchard.Blogs.Controllers {
        [HttpPost, ActionName("Edit")]
        [FormValueRequired("submit.Save")]
        public ActionResult EditPOST(int blogId) {
-            if (!Services.Authorizer.Authorize(Permissions.ManageBlogs, T("Couldn't edit blog")))
+            var blog = _blogService.Get(blogId, VersionOptions.DraftRequired);
+
+            if (!Services.Authorizer.Authorize(Permissions.ManageBlogs, blog, T("Couldn't edit blog")))
                return new HttpUnauthorizedResult();

-            var blog = _blogService.Get(blogId, VersionOptions.DraftRequired);
            if (blog == null)
                return HttpNotFound();

--- a/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Controllers/BlogPostAdminController.cs
@@ -38,7 +38,7 @@ namespace Orchard.Blogs.Controllers {
            var blogPost = Services.ContentManager.New<BlogPostPart>("BlogPost");
            blogPost.BlogPart = blog;

-            if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, blogPost, T("Not allowed to create blog post")))
+            if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, blog, T("Not allowed to create blog post")))
                return new HttpUnauthorizedResult();

            dynamic model = Services.ContentManager.BuildEditor(blogPost);
@@ -71,7 +71,7 @@ namespace Orchard.Blogs.Controllers {
            var blogPost = Services.ContentManager.New<BlogPostPart>("BlogPost");
            blogPost.BlogPart = blog;

-            if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, blogPost, T("Couldn't create blog post")))
+            if (!Services.Authorizer.Authorize(Permissions.EditBlogPost, blog, T("Couldn't create blog post")))
                return new HttpUnauthorizedResult();
            
            Services.ContentManager.Create(blogPost, VersionOptions.Draft);
--- a/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Permissions.cs
@@ -4,14 +4,15 @@ using Orchard.Security.Permissions;

 namespace Orchard.Blogs {
    public class Permissions : IPermissionProvider {
-        public static readonly Permission ManageBlogs = new Permission { Description = "Manage blogs", Name = "ManageBlogs" };
+        public static readonly Permission ManageBlogs = new Permission { Description = "Manage blogs for others", Name = "ManageBlogs" };
+        public static readonly Permission ManageOwnBlogs = new Permission { Description = "Manage own blogs", Name = "ManageOwnBlogs", ImpliedBy = new[] { ManageBlogs } };

        public static readonly Permission PublishBlogPost = new Permission { Description = "Publish or unpublish blog post for others", Name = "PublishBlogPost", ImpliedBy = new[] { ManageBlogs } };
-        public static readonly Permission PublishOwnBlogPost = new Permission { Description = "Publish or unpublish own blog post", Name = "PublishOwnBlogPost", ImpliedBy = new[] { PublishBlogPost } };
-        public static readonly Permission EditBlogPost = new Permission { Description = "Edit any blog posts", Name = "EditBlogPost", ImpliedBy = new[] { PublishBlogPost } };
+        public static readonly Permission PublishOwnBlogPost = new Permission { Description = "Publish or unpublish own blog post", Name = "PublishOwnBlogPost", ImpliedBy = new[] { PublishBlogPost, ManageOwnBlogs } };
+        public static readonly Permission EditBlogPost = new Permission { Description = "Edit blog posts for others", Name = "EditBlogPost", ImpliedBy = new[] { PublishBlogPost } };
        public static readonly Permission EditOwnBlogPost = new Permission { Description = "Edit own blog posts", Name = "EditOwnBlogPost", ImpliedBy = new[] { EditBlogPost, PublishOwnBlogPost } };
        public static readonly Permission DeleteBlogPost = new Permission { Description = "Delete blog post for others", Name = "DeleteBlogPost", ImpliedBy = new[] { ManageBlogs } };
-        public static readonly Permission DeleteOwnBlogPost = new Permission { Description = "Delete own blog post", Name = "DeleteOwnBlogPost", ImpliedBy = new[] { DeleteBlogPost } };
+        public static readonly Permission DeleteOwnBlogPost = new Permission { Description = "Delete own blog post", Name = "DeleteOwnBlogPost", ImpliedBy = new[] { DeleteBlogPost, ManageOwnBlogs } };

        public static readonly Permission MetaListBlogs = new Permission { ImpliedBy = new[] { EditBlogPost, PublishBlogPost, DeleteBlogPost } };
        public static readonly Permission MetaListOwnBlogs = new Permission { ImpliedBy = new[] { EditOwnBlogPost, PublishOwnBlogPost, DeleteOwnBlogPost } };
@@ -20,6 +21,7 @@ namespace Orchard.Blogs {

        public IEnumerable<Permission> GetPermissions() {
            return new[] {
+                ManageOwnBlogs,
                ManageBlogs,
                EditOwnBlogPost,
                EditBlogPost,
@@ -45,7 +47,7 @@ namespace Orchard.Blogs {
                },
                new PermissionStereotype {
                    Name = "Author",
-                    Permissions = new[] {PublishOwnBlogPost,EditOwnBlogPost,DeleteOwnBlogPost}
+                    Permissions = new[] {ManageOwnBlogs}
                },
                new PermissionStereotype {
                    Name = "Contributor",
--- a/src/Orchard.Web/Modules/Orchard.Blogs/Security/BlogAuthorizationEventHandler.cs
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Security/BlogAuthorizationEventHandler.cs
@@ -25,9 +25,28 @@ namespace Orchard.Blogs.Security {
            if (user == null || content == null)
                return false;

+            if(HasOwnershipOnContainer(user, content)) {
+                return true;
+            }
+
            var common = content.As<ICommonPart>();
            if (common == null || common.Owner == null)
                return false;
+            
+            return user.Id == common.Owner.Id;
+        }
+
+        private static bool HasOwnershipOnContainer(IUser user, IContent content) {
+            if (user == null || content == null)
+                return false;
+
+            var common = content.As<ICommonPart>();
+            if (common == null || common.Container == null)
+                return false;
+
+            common = common.Container.As<ICommonPart>();
+            if (common == null || common.Container == null)
+                return false;

            return user.Id == common.Owner.Id;
        }