consistent permission checks for working with Blog Posts

check MetaListOwnBlogs for consistency
Fixes #4767
2025-10-08 00:14:31 +08:00 · 2016-10-27 12:21:07 -07:00 · 2016-10-27 12:21:07 -07:00
4 changed files with 26 additions and 12 deletions
--- a/src/Orchard.Web/Modules/Orchard.Blogs/AdminMenu.cs
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/AdminMenu.cs
@@ -26,7 +26,7 @@ namespace Orchard.Blogs {
        }

        private void BuildMenu(NavigationItemBuilder menu) {
-            var blogs = _blogService.Get().Where(x => _authorizationService.TryCheckAccess(Permissions.MetaListBlogs, _workContextAccessor.GetContext().CurrentUser, x)).ToArray();
+            var blogs = _blogService.Get().Where(x => _authorizationService.TryCheckAccess(Permissions.MetaListOwnBlogs, _workContextAccessor.GetContext().CurrentUser, x)).ToArray();
            var blogCount = blogs.Count();
            var singleBlog = blogCount == 1 ? blogs.ElementAt(0) : null;

--- a/src/Orchard.Web/Modules/Orchard.Blogs/Orchard.Blogs.csproj
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Orchard.Blogs.csproj
@@ -236,6 +236,9 @@
  <ItemGroup>
    <Content Include="packages.config" />
  </ItemGroup>
+  <ItemGroup>
+    <Content Include="Views\Content-BlogPost.PublishButton.cshtml" />
+  </ItemGroup>
  <PropertyGroup>
    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">10.0</VisualStudioVersion>
    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
--- a/src/Orchard.Web/Modules/Orchard.Blogs/Views/Content-BlogPost.PublishButton.cshtml
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Views/Content-BlogPost.PublishButton.cshtml
@@ -0,0 +1,8 @@
+@using Orchard.ContentManagement;
+@using Orchard.Blogs;
+
+@if (Authorizer.Authorize(Permissions.PublishBlogPost, (IContent)Model.ContentItem)) {
+<fieldset class="publish-button">
+    <button type="submit" name="submit.Publish" value="submit.Publish">@T("Publish Now")</button>
+</fieldset>
+}
--- a/src/Orchard.Web/Modules/Orchard.Blogs/Views/Content-BlogPost.SummaryAdmin.cshtml
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Views/Content-BlogPost.SummaryAdmin.cshtml
@@ -1,9 +1,12 @@
-@using Orchard.ContentManagement;
-@using Orchard.Core.Contents
+@using Orchard.Blogs;
+@using Orchard.Blogs.Extensions;
+@using Orchard.Blogs.Models;
+@using Orchard.ContentManagement;
@using Orchard.Utility.Extensions;
@{
    Script.Require("ShapesBase");
    ContentItem contentItem = Model.ContentItem;
+    BlogPostPart post = contentItem.As<BlogPostPart>();
    var returnUrl = ViewContext.RequestContext.HttpContext.Request.ToUrlString();
 }
 <div class="summary" itemscope="itemscope" itemid="@contentItem.Id" itemtype="http://orchardproject.net/data/ContentItem">
@@ -25,17 +28,17 @@
            @T(" | ")

            if (contentItem.HasDraft()) {
-                @Html.Link(T("Publish Draft").Text, Url.Action("Publish", "Admin", new { area = "Contents", id = contentItem.Id, returnUrl = Request.ToUrlString() }), new { itemprop = "UnsafeUrl" })
+                @Html.Link(T("Publish Draft").Text, Url.BlogPostPublish(post), new { itemprop = "UnsafeUrl" })
                @T(" | ")

-                if (Authorizer.Authorize(Orchard.Blogs.Permissions.PublishBlogPost, contentItem)) {
+                if (Authorizer.Authorize(Permissions.PublishBlogPost, contentItem)) {
                    @Html.ActionLink(T("Preview").Text, "Preview", "Item", new { area = "Contents", id = contentItem.Id }, new { })
                    @T(" | ")
                }
            }

-            if (Authorizer.Authorize(Orchard.Blogs.Permissions.PublishBlogPost, contentItem)) {
-                @Html.Link(T("Unpublish").Text, Url.Action("Unpublish", "Admin", new { area = "Contents", id = contentItem.Id, returnUrl = Request.ToUrlString() }), new { itemprop = "UnsafeUrl" })
+            if (Authorizer.Authorize(Permissions.PublishBlogPost, contentItem)) {
+                @Html.Link(T("Unpublish").Text, Url.BlogPostUnpublish(post), new { itemprop = "UnsafeUrl" })
                @T(" | ")
            }
        } else {
@@ -44,16 +47,16 @@
                @T(" | ")
            }

-            if (Authorizer.Authorize(Orchard.Blogs.Permissions.PublishBlogPost, contentItem)) {
-                @Html.Link(T("Publish").Text, Url.Action("Publish", "Admin", new { area = "Contents", id = contentItem.Id, returnUrl = Request.ToUrlString() }), new { itemprop = "UnsafeUrl" })
+            if (Authorizer.Authorize(Permissions.PublishBlogPost, contentItem)) {
+                @Html.Link(T("Publish").Text, Url.BlogPostPublish(post), new { itemprop = "UnsafeUrl" })
                @T(" | ")
            }
        }
-        @if (Authorizer.Authorize(Orchard.Blogs.Permissions.EditBlogPost, contentItem)) {
+        @if (Authorizer.Authorize(Permissions.EditBlogPost, contentItem)) {
            @Html.ItemEditLink(T("Edit").Text, contentItem)@T(" | ")
        }
-        @if (Authorizer.Authorize(Orchard.Blogs.Permissions.DeleteBlogPost, contentItem)) {
-            @Html.Link(T("Delete").Text, Url.ItemRemoveUrl(contentItem, new {returnUrl}), new {itemprop = "RemoveUrl UnsafeUrl"})
+        @if (Authorizer.Authorize(Permissions.DeleteBlogPost, contentItem)) {
+            @Html.Link(T("Delete").Text, Url.BlogPostDelete(post), new {itemprop = "RemoveUrl UnsafeUrl"})
        }
    </div>
    @if (Model.Content != null) {
Author	SHA1	Message	Date
Kegan Maher	5ad9f50471	consistent permission checks for working with Blog Posts	2016-10-27 12:21:07 -07:00
Kegan Maher	b25b13aa83	check MetaListOwnBlogs for consistency Fixes #4767	2016-10-27 12:21:07 -07:00