Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix missing permission checks and encoding. (#11344)
  • Loading branch information
sebastienros committed Mar 10, 2022
1 parent 18e9423 commit b7096af
Show file tree
Hide file tree
Showing 7 changed files with 118 additions and 48 deletions.
@@ -1,6 +1,7 @@
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using OrchardCore.Admin;
using OrchardCore.ContentFields.Settings;
Expand All @@ -9,9 +10,11 @@
using OrchardCore.ContentManagement;
using OrchardCore.ContentManagement.Metadata;
using OrchardCore.ContentManagement.Records;
using OrchardCore.Contents;
using OrchardCore.Modules;
using YesSql;
using YesSql.Services;
using IHttpContextAccessor = Microsoft.AspNetCore.Http.IHttpContextAccessor;

namespace OrchardCore.ContentFields.Controllers
{
Expand All @@ -23,18 +26,23 @@ public class LocalizationSetContentPickerAdminController : Controller
private readonly IContentLocalizationManager _contentLocalizationManager;
private readonly IContentManager _contentManager;
private readonly ISession _session;
private readonly IAuthorizationService _authorizationService;
private readonly IHttpContextAccessor _httpContextAccessor;

public LocalizationSetContentPickerAdminController(
IContentDefinitionManager contentDefinitionManager,
IContentLocalizationManager contentLocalizationManager,
IContentManager contentManager,
ISession session
)
ISession session,
IAuthorizationService authorizationService,
IHttpContextAccessor httpContextAccessor)
{
_contentDefinitionManager = contentDefinitionManager;
_contentLocalizationManager = contentLocalizationManager;
_contentManager = contentManager;
_session = session;
_authorizationService = authorizationService;
_httpContextAccessor = httpContextAccessor;
}

[HttpGet]
Expand Down Expand Up @@ -71,12 +79,15 @@ public async Task<IActionResult> SearchLocalizationSets(string part, string fiel

foreach (var contentItem in cleanedContentItems)
{
results.Add(new VueMultiselectItemViewModel
if (await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext.User, CommonPermissions.ViewContent, contentItem))
{
Id = contentItem.Key, //localization set
DisplayText = contentItem.Value.ToString(),
HasPublished = await _contentManager.HasPublishedVersionAsync(contentItem.Value)
});
results.Add(new VueMultiselectItemViewModel
{
Id = contentItem.Key, //localization set
DisplayText = contentItem.Value.ToString(),
HasPublished = await _contentManager.HasPublishedVersionAsync(contentItem.Value)
});
}
}

return new ObjectResult(results);
Expand Down
@@ -1,10 +1,13 @@
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using OrchardCore.Admin;
using OrchardCore.ContentManagement;
using OrchardCore.ContentManagement.Display;
using OrchardCore.Contents;
using OrchardCore.DisplayManagement.ModelBinding;
using YesSql;
using IHttpContextAccessor = Microsoft.AspNetCore.Http.IHttpContextAccessor;

namespace OrchardCore.Demo.Controllers
{
Expand All @@ -14,17 +17,23 @@ public class ContentController : Controller
private readonly IContentManager _contentManager;
private readonly ISession _session;
private readonly IUpdateModelAccessor _updateModelAccessor;
private readonly IAuthorizationService _authorizationService;
private readonly IHttpContextAccessor _httpContextAccessor;

public ContentController(
IContentManager contentManager,
IContentItemDisplayManager contentDisplay,
ISession session,
IUpdateModelAccessor updateModelAccessor)
IUpdateModelAccessor updateModelAccessor,
IAuthorizationService authorizationService,
IHttpContextAccessor httpContextAccessor)
{
_contentManager = contentManager;
_contentDisplay = contentDisplay;
_session = session;
_updateModelAccessor = updateModelAccessor;
_authorizationService = authorizationService;
_httpContextAccessor = httpContextAccessor;
}

public async Task<ActionResult> Display(string contentItemId)
Expand All @@ -36,6 +45,11 @@ public async Task<ActionResult> Display(string contentItemId)
return NotFound();
}

if (!await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext.User, CommonPermissions.ViewContent, contentItem))
{
return Forbid();
}

var shape = await _contentDisplay.BuildDisplayAsync(contentItem, _updateModelAccessor.ModelUpdater);
return View(shape);
}
Expand All @@ -50,6 +64,11 @@ public async Task<ActionResult> Edit(string contentItemId)
return NotFound();
}

if (!await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext.User, CommonPermissions.EditContent, contentItem))
{
return Forbid();
}

var shape = await _contentDisplay.BuildEditorAsync(contentItem, _updateModelAccessor.ModelUpdater, false);
return View(shape);
}
Expand All @@ -64,6 +83,11 @@ public async Task<ActionResult> EditPost(string contentItemId)
return NotFound();
}

if (!await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext.User, CommonPermissions.EditContent, contentItem))
{
return Forbid();
}

var shape = await _contentDisplay.UpdateEditorAsync(contentItem, _updateModelAccessor.ModelUpdater, false);

if (!ModelState.IsValid)
Expand Down
Expand Up @@ -112,6 +112,11 @@ public async Task<ActionResult> Features(BulkActionViewModel model, bool? force)
[HttpPost]
public async Task<IActionResult> Disable(string id)
{
if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageFeatures))
{
return Forbid();
}

var feature = (await _shellFeaturesManager.GetAvailableFeaturesAsync())
.FirstOrDefault(f => !f.IsTheme() && f.Id == id);

Expand All @@ -134,6 +139,11 @@ public async Task<IActionResult> Disable(string id)
[HttpPost]
public async Task<IActionResult> Enable(string id)
{
if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageFeatures))
{
return Forbid();
}

var feature = (await _shellFeaturesManager.GetAvailableFeaturesAsync())
.FirstOrDefault(f => !f.IsTheme() && f.Id == id);

Expand Down
Expand Up @@ -85,6 +85,11 @@ public async Task<IActionResult> Create()
[HttpPost]
public async Task<IActionResult> Create(CreateRoleViewModel model)
{
if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageRoles))
{
return Forbid();
}

if (ModelState.IsValid)
{
model.RoleName = model.RoleName.Trim();
Expand Down

0 comments on commit b7096af

Please sign in to comment.