From ef5eea48fafb824ea5215372e58d43c0568cfa25 Mon Sep 17 00:00:00 2001 From: Sebastien Ros Date: Thu, 9 Dec 2010 15:47:25 -0800 Subject: [PATCH] Checking site ownership for all gallery actions Work Item: 16978 --HG-- branch : dev --- .../Modules/Orchard.Packaging/AdminMenu.cs | 10 ++++--- .../Controllers/GalleryController.cs | 27 ++++++++++++++++++- .../PackagingServicesController.cs | 26 +++++++++++++++++- 3 files changed, 58 insertions(+), 5 deletions(-) diff --git a/src/Orchard.Web/Modules/Orchard.Packaging/AdminMenu.cs b/src/Orchard.Web/Modules/Orchard.Packaging/AdminMenu.cs index f34d93011..fbfe5565b 100644 --- a/src/Orchard.Web/Modules/Orchard.Packaging/AdminMenu.cs +++ b/src/Orchard.Web/Modules/Orchard.Packaging/AdminMenu.cs @@ -1,6 +1,7 @@ using Orchard.Environment.Extensions; using Orchard.Localization; using Orchard.UI.Navigation; +using Orchard.Security; namespace Orchard.Packaging { [OrchardFeature("Gallery")] @@ -12,11 +13,14 @@ namespace Orchard.Packaging { public void GetNavigation(NavigationBuilder builder) { builder.Add(T("Gallery"), "30", menu => menu .Add(T("Modules"), "1.0", item => item - .Action("Modules", "Gallery", new { area = "Orchard.Packaging" })) + .Action("Modules", "Gallery", new { area = "Orchard.Packaging" }) + .Permission(StandardPermissions.SiteOwner)) .Add(T("Themes"), "2.0", item => item - .Action("Themes", "Gallery", new { area = "Orchard.Packaging" })) + .Action("Themes", "Gallery", new { area = "Orchard.Packaging" }) + .Permission(StandardPermissions.SiteOwner)) .Add(T("Feeds"), "3.0", item => item - .Action("Sources", "Gallery", new { area = "Orchard.Packaging" }))); + .Action("Sources", "Gallery", new { area = "Orchard.Packaging" }) + .Permission(StandardPermissions.SiteOwner))); } } } \ No newline at end of file diff --git a/src/Orchard.Web/Modules/Orchard.Packaging/Controllers/GalleryController.cs b/src/Orchard.Web/Modules/Orchard.Packaging/Controllers/GalleryController.cs index 57654a990..c07eecccf 100644 --- a/src/Orchard.Web/Modules/Orchard.Packaging/Controllers/GalleryController.cs +++ b/src/Orchard.Web/Modules/Orchard.Packaging/Controllers/GalleryController.cs @@ -9,6 +9,7 @@ using Orchard.Localization; using Orchard.Logging; using Orchard.Packaging.Services; using Orchard.Packaging.ViewModels; +using Orchard.Security; using Orchard.Themes; using Orchard.UI.Admin; using Orchard.UI.Notify; @@ -26,36 +27,51 @@ namespace Orchard.Packaging.Controllers { public GalleryController( IPackageManager packageManager, IPackagingSourceManager packagingSourceManager, - INotifier notifier) { + INotifier notifier, + IOrchardServices services) { _packageManager = packageManager; _packagingSourceManager = packagingSourceManager; _notifier = notifier; + Services = services; T = NullLocalizer.Instance; Logger = NullLogger.Instance; } + public IOrchardServices Services { get; set; } public Localizer T { get; set; } public ILogger Logger { get; set; } public ActionResult Sources() { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to list sources"))) + return new HttpUnauthorizedResult(); + return View(new PackagingSourcesViewModel { Sources = _packagingSourceManager.GetSources(), }); } public ActionResult Remove(int id) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to remove sources"))) + return new HttpUnauthorizedResult(); + _packagingSourceManager.RemoveSource(id); _notifier.Information(T("The feed has been removed successfully.")); return RedirectToAction("Sources"); } public ActionResult AddSource() { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add sources"))) + return new HttpUnauthorizedResult(); + return View(new PackagingAddSourceViewModel()); } [HttpPost] public ActionResult AddSource(string url) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add sources"))) + return new HttpUnauthorizedResult(); + try { if (!String.IsNullOrEmpty(url)) { if (!url.StartsWith("http")) { @@ -96,6 +112,9 @@ namespace Orchard.Packaging.Controllers { } public ActionResult Modules(int? sourceId) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to list modules"))) + return new HttpUnauthorizedResult(); + var selectedSource = _packagingSourceManager.GetSources().Where(s => s.Id == sourceId).FirstOrDefault(); var sources = selectedSource != null @@ -123,6 +142,9 @@ namespace Orchard.Packaging.Controllers { } public ActionResult Themes(int? sourceId) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to list themes"))) + return new HttpUnauthorizedResult(); + var selectedSource = _packagingSourceManager.GetSources().Where(s => s.Id == sourceId).FirstOrDefault(); var sources = selectedSource != null @@ -138,6 +160,9 @@ namespace Orchard.Packaging.Controllers { } public ActionResult Install(string packageId, string version, int sourceId, string redirectTo) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to install packages"))) + return new HttpUnauthorizedResult(); + var source = _packagingSourceManager.GetSources().Where(s => s.Id == sourceId).FirstOrDefault(); if (source == null) { diff --git a/src/Orchard.Web/Modules/Orchard.Packaging/Controllers/PackagingServicesController.cs b/src/Orchard.Web/Modules/Orchard.Packaging/Controllers/PackagingServicesController.cs index e51d385f1..08a5abb83 100644 --- a/src/Orchard.Web/Modules/Orchard.Packaging/Controllers/PackagingServicesController.cs +++ b/src/Orchard.Web/Modules/Orchard.Packaging/Controllers/PackagingServicesController.cs @@ -8,6 +8,7 @@ using Orchard.Environment.Extensions; using Orchard.FileSystems.AppData; using Orchard.Localization; using Orchard.Packaging.Services; +using Orchard.Security; using Orchard.Themes; using Orchard.UI.Admin; using Orchard.UI.Notify; @@ -25,7 +26,8 @@ namespace Orchard.Packaging.Controllers { public PackagingServicesController( IPackageManager packageManager, INotifier notifier, - IAppDataFolderRoot appDataFolderRoot) { + IAppDataFolderRoot appDataFolderRoot, + IOrchardServices services) { _packageManager = packageManager; _notifier = notifier; _appDataFolderRoot = appDataFolderRoot; @@ -34,31 +36,50 @@ namespace Orchard.Packaging.Controllers { } public Localizer T { get; set; } + public IOrchardServices Services { get; set; } public ActionResult AddTheme(string returnUrl) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add themes"))) + return new HttpUnauthorizedResult(); + return View(); } [HttpPost, ActionName("AddTheme")] public ActionResult AddThemePOST(string returnUrl) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add themes"))) + return new HttpUnauthorizedResult(); + return InstallPackage(returnUrl, Request.RawUrl); } [HttpPost, ActionName("RemoveTheme")] public ActionResult RemoveThemePOST(string themeId, string returnUrl, string retryUrl) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to remove themes"))) + return new HttpUnauthorizedResult(); + return UninstallPackage(PackagingSourceManager.ThemesPrefix + themeId, returnUrl, retryUrl); } public ActionResult AddModule(string returnUrl) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add modules"))) + return new HttpUnauthorizedResult(); + return View(); } [HttpPost, ActionName("AddModule")] public ActionResult AddModulePOST(string returnUrl) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add modules"))) + return new HttpUnauthorizedResult(); + return InstallPackage(returnUrl, Request.RawUrl); } public ActionResult InstallPackage(string returnUrl, string retryUrl) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to install packages"))) + return new HttpUnauthorizedResult(); + try { if (Request.Files != null && Request.Files.Count > 0 && @@ -90,6 +111,9 @@ namespace Orchard.Packaging.Controllers { } public ActionResult UninstallPackage(string id, string returnUrl, string retryUrl) { + if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to uninstall packages"))) + return new HttpUnauthorizedResult(); + try { _packageManager.Uninstall(id, HostingEnvironment.MapPath("~/"));