Checking site ownership for all gallery actions

Work Item: 16978

--HG--
branch : dev

src/Orchard.Web/Modules/Orchard.Packaging/AdminMenu.cs

@@ -1,6 +1,7 @@
 using Orchard.Environment.Extensions;
 using Orchard.Localization;
 using Orchard.UI.Navigation;
+using Orchard.Security;
 
 namespace Orchard.Packaging {
     [OrchardFeature("Gallery")]
@@ -12,11 +13,14 @@ namespace Orchard.Packaging {
         public void GetNavigation(NavigationBuilder builder) {
             builder.Add(T("Gallery"), "30", menu => menu
                         .Add(T("Modules"), "1.0", item => item
-                             .Action("Modules", "Gallery", new { area = "Orchard.Packaging" }))
+                             .Action("Modules", "Gallery", new { area = "Orchard.Packaging" })
+                             .Permission(StandardPermissions.SiteOwner))
                         .Add(T("Themes"), "2.0", item => item
-                             .Action("Themes", "Gallery", new { area = "Orchard.Packaging" }))
+                             .Action("Themes", "Gallery", new { area = "Orchard.Packaging" })
+                             .Permission(StandardPermissions.SiteOwner))
                         .Add(T("Feeds"), "3.0", item => item
-                             .Action("Sources", "Gallery", new { area = "Orchard.Packaging" })));
+                             .Action("Sources", "Gallery", new { area = "Orchard.Packaging" })
+                             .Permission(StandardPermissions.SiteOwner)));
         }
     }
 }

src/Orchard.Web/Modules/Orchard.Packaging/Controllers/GalleryController.cs

@@ -9,6 +9,7 @@ using Orchard.Localization;
 using Orchard.Logging;
 using Orchard.Packaging.Services;
 using Orchard.Packaging.ViewModels;
+using Orchard.Security;
 using Orchard.Themes;
 using Orchard.UI.Admin;
 using Orchard.UI.Notify;
@@ -26,36 +27,51 @@ namespace Orchard.Packaging.Controllers {
         public GalleryController(
             IPackageManager packageManager,
             IPackagingSourceManager packagingSourceManager,
-            INotifier notifier) {
+            INotifier notifier,
+            IOrchardServices services) {
             _packageManager = packageManager;
             _packagingSourceManager = packagingSourceManager;
             _notifier = notifier;
+            Services = services;
 
             T = NullLocalizer.Instance;
             Logger = NullLogger.Instance;
         }
 
+        public IOrchardServices Services { get; set; }
         public Localizer T { get; set; }
         public ILogger Logger { get; set; }
 
         public ActionResult Sources() {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to list sources")))
+                return new HttpUnauthorizedResult();
+
             return View(new PackagingSourcesViewModel {
                 Sources = _packagingSourceManager.GetSources(),
             });
         }
 
         public ActionResult Remove(int id) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to remove sources")))
+                return new HttpUnauthorizedResult();
+
             _packagingSourceManager.RemoveSource(id);
             _notifier.Information(T("The feed has been removed successfully."));
             return RedirectToAction("Sources");
         }
 
         public ActionResult AddSource() {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add sources")))
+                return new HttpUnauthorizedResult();
+
             return View(new PackagingAddSourceViewModel());
         }
 
         [HttpPost]
         public ActionResult AddSource(string url) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add sources")))
+                return new HttpUnauthorizedResult();
+
             try {
                 if (!String.IsNullOrEmpty(url)) {
                     if (!url.StartsWith("http")) {
@@ -96,6 +112,9 @@ namespace Orchard.Packaging.Controllers {
         }
 
         public ActionResult Modules(int? sourceId) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to list modules")))
+                return new HttpUnauthorizedResult();
+
             var selectedSource = _packagingSourceManager.GetSources().Where(s => s.Id == sourceId).FirstOrDefault();
 
             var sources = selectedSource != null
@@ -123,6 +142,9 @@ namespace Orchard.Packaging.Controllers {
         }
 
         public ActionResult Themes(int? sourceId) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to list themes")))
+                return new HttpUnauthorizedResult();
+
             var selectedSource = _packagingSourceManager.GetSources().Where(s => s.Id == sourceId).FirstOrDefault();
 
             var sources = selectedSource != null
@@ -138,6 +160,9 @@ namespace Orchard.Packaging.Controllers {
         }
 
         public ActionResult Install(string packageId, string version, int sourceId, string redirectTo) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to install packages")))
+                return new HttpUnauthorizedResult();
+
             var source = _packagingSourceManager.GetSources().Where(s => s.Id == sourceId).FirstOrDefault();
 
             if (source == null) {

src/Orchard.Web/Modules/Orchard.Packaging/Controllers/PackagingServicesController.cs

@@ -8,6 +8,7 @@ using Orchard.Environment.Extensions;
 using Orchard.FileSystems.AppData;
 using Orchard.Localization;
 using Orchard.Packaging.Services;
+using Orchard.Security;
 using Orchard.Themes;
 using Orchard.UI.Admin;
 using Orchard.UI.Notify;
@@ -25,7 +26,8 @@ namespace Orchard.Packaging.Controllers {
         public PackagingServicesController(
             IPackageManager packageManager,
             INotifier notifier,
-            IAppDataFolderRoot appDataFolderRoot) {
+            IAppDataFolderRoot appDataFolderRoot,
+            IOrchardServices services) {
             _packageManager = packageManager;
             _notifier = notifier;
             _appDataFolderRoot = appDataFolderRoot;
@@ -34,31 +36,50 @@ namespace Orchard.Packaging.Controllers {
         }
 
         public Localizer T { get; set; }
+        public IOrchardServices Services { get; set; }
 
         public ActionResult AddTheme(string returnUrl) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add themes")))
+                return new HttpUnauthorizedResult();
+
             return View();
         }
 
         [HttpPost, ActionName("AddTheme")]
         public ActionResult AddThemePOST(string returnUrl) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add themes")))
+                return new HttpUnauthorizedResult();
+
             return InstallPackage(returnUrl, Request.RawUrl);
         }
 
         [HttpPost, ActionName("RemoveTheme")]
         public ActionResult RemoveThemePOST(string themeId, string returnUrl, string retryUrl) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to remove themes")))
+                return new HttpUnauthorizedResult();
+
             return UninstallPackage(PackagingSourceManager.ThemesPrefix + themeId, returnUrl, retryUrl);
         }
 
         public ActionResult AddModule(string returnUrl) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add modules")))
+                return new HttpUnauthorizedResult();
+
             return View();
         }
 
         [HttpPost, ActionName("AddModule")]
         public ActionResult AddModulePOST(string returnUrl) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to add modules")))
+                return new HttpUnauthorizedResult();
+
             return InstallPackage(returnUrl, Request.RawUrl);
         }
 
         public ActionResult InstallPackage(string returnUrl, string retryUrl) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to install packages")))
+                return new HttpUnauthorizedResult();
+
             try {
                 if (Request.Files != null &&
                     Request.Files.Count > 0 &&
@@ -90,6 +111,9 @@ namespace Orchard.Packaging.Controllers {
         }
 
         public ActionResult UninstallPackage(string id, string returnUrl, string retryUrl) {
+            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to uninstall packages")))
+                return new HttpUnauthorizedResult();
+
             try {
                 _packageManager.Uninstall(id, HostingEnvironment.MapPath("~/"));