diff --git a/src/OrchardCore.Modules/OrchardCore.Flows/Views/FlowPart.cshtml b/src/OrchardCore.Modules/OrchardCore.Flows/Views/FlowPart.cshtml index 47f9c14bc51..fbb4ded39d9 100644 --- a/src/OrchardCore.Modules/OrchardCore.Flows/Views/FlowPart.cshtml +++ b/src/OrchardCore.Modules/OrchardCore.Flows/Views/FlowPart.cshtml @@ -1,14 +1,34 @@ +@using Microsoft.AspNetCore.Authorization @using OrchardCore.ContentManagement +@using OrchardCore.ContentManagement.Metadata +@using OrchardCore.Contents @using OrchardCore.Flows.Models @using OrchardCore.Flows.ViewModels @using OrchardCore.Mvc.Utilities +@using OrchardCore.ContentManagement.Metadata.Models @model FlowPartViewModel -@inject OrchardCore.ContentManagement.Display.IContentItemDisplayManager ContentItemDisplayManager +@inject OrchardCore.ContentManagement.Display.IContentItemDisplayManager ContentItemDisplayManager +@inject IAuthorizationService AuthorizationService +@inject IContentDefinitionManager ContentDefinitionManager +@{ + var widgetDefinitions = (await ContentDefinitionManager.ListWidgetTypeDefinitionsAsync()) + .ToDictionary(x => x.Name, StringComparer.OrdinalIgnoreCase); +}
@foreach (var widget in Model.FlowPart.Widgets) { + if (!widgetDefinitions.TryGetValue(widget.ContentType, out var definition)) + { + continue; + } + + if (definition.IsSecurable() && !await AuthorizationService.AuthorizeAsync(User, CommonPermissions.ViewContent, widget)) + { + continue; + } + var widgetContent = await ContentItemDisplayManager.BuildDisplayAsync(widget, Model.BuildPartDisplayContext.Updater, Model.BuildPartDisplayContext.DisplayType, Model.BuildPartDisplayContext.GroupId); var flowMetadata = widget.As(); diff --git a/src/OrchardCore.Modules/OrchardCore.Layers/Services/LayerFilter.cs b/src/OrchardCore.Modules/OrchardCore.Layers/Services/LayerFilter.cs index 4d692f25d09..87b6af8817e 100644 --- a/src/OrchardCore.Modules/OrchardCore.Layers/Services/LayerFilter.cs +++ b/src/OrchardCore.Modules/OrchardCore.Layers/Services/LayerFilter.cs @@ -1,8 +1,11 @@ +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.Extensions.Caching.Memory; using OrchardCore.Admin; using OrchardCore.ContentManagement.Display; using OrchardCore.ContentManagement.Metadata; +using OrchardCore.ContentManagement.Metadata.Models; +using OrchardCore.Contents; using OrchardCore.Data.Documents; using OrchardCore.DisplayManagement.Layout; using OrchardCore.DisplayManagement.ModelBinding; @@ -27,6 +30,7 @@ public sealed class LayerFilter : IAsyncResultFilter private readonly IMemoryCache _memoryCache; private readonly IThemeManager _themeManager; private readonly IAdminThemeService _adminThemeService; + private readonly IAuthorizationService _authorizationService; private readonly ILayerService _layerService; private readonly IVolatileDocumentManager _layerStateManager; @@ -40,6 +44,7 @@ public LayerFilter( IMemoryCache memoryCache, IThemeManager themeManager, IAdminThemeService adminThemeService, + IAuthorizationService authorizationService, IVolatileDocumentManager layerStateManager) { _contentDefinitionManager = contentDefinitionManager; @@ -51,6 +56,7 @@ public LayerFilter( _memoryCache = memoryCache; _themeManager = themeManager; _adminThemeService = adminThemeService; + _authorizationService = authorizationService; _layerStateManager = layerStateManager; } @@ -90,7 +96,8 @@ public async Task OnResultExecutionAsync(ResultExecutingContext context, ResultE var updater = _modelUpdaterAccessor.ModelUpdater; var layersCache = new Dictionary(); - var contentDefinitions = await _contentDefinitionManager.ListTypeDefinitionsAsync(); + var widgetDefinitions = (await _contentDefinitionManager.ListWidgetTypeDefinitionsAsync()) + .ToDictionary(x => x.Name, StringComparer.OrdinalIgnoreCase); foreach (var widget in widgets) { @@ -114,7 +121,8 @@ public async Task OnResultExecutionAsync(ResultExecutingContext context, ResultE continue; } - if (contentDefinitions.Any(c => c.Name == widget.ContentItem.ContentType)) + if (widgetDefinitions.TryGetValue(widget.ContentItem.ContentType, out var definition) && + (!definition.IsSecurable() || await _authorizationService.AuthorizeAsync(context.HttpContext.User, CommonPermissions.ViewContent, widget.ContentItem))) { var widgetContent = await _contentItemDisplayManager.BuildDisplayAsync(widget.ContentItem, updater); diff --git a/src/OrchardCore.Modules/OrchardCore.Widgets/Drivers/WidgetsListPartDisplayDriver.cs b/src/OrchardCore.Modules/OrchardCore.Widgets/Drivers/WidgetsListPartDisplayDriver.cs index 1d6445b752d..00706672ce8 100644 --- a/src/OrchardCore.Modules/OrchardCore.Widgets/Drivers/WidgetsListPartDisplayDriver.cs +++ b/src/OrchardCore.Modules/OrchardCore.Widgets/Drivers/WidgetsListPartDisplayDriver.cs @@ -1,9 +1,13 @@ +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Http; using Microsoft.Extensions.DependencyInjection; using OrchardCore.ContentManagement; using OrchardCore.ContentManagement.Display; using OrchardCore.ContentManagement.Display.ContentDisplay; using OrchardCore.ContentManagement.Display.Models; using OrchardCore.ContentManagement.Metadata; +using OrchardCore.ContentManagement.Metadata.Models; +using OrchardCore.Contents; using OrchardCore.DisplayManagement.Views; using OrchardCore.Mvc.Utilities; using OrchardCore.Widgets.Models; @@ -15,16 +19,22 @@ namespace OrchardCore.Widgets.Drivers; public sealed class WidgetsListPartDisplayDriver : ContentPartDisplayDriver { private readonly IContentDefinitionManager _contentDefinitionManager; + private readonly IHttpContextAccessor _httpContextAccessor; + private readonly IAuthorizationService _authorizationService; private readonly IContentManager _contentManager; private readonly IServiceProvider _serviceProvider; public WidgetsListPartDisplayDriver( IContentManager contentManager, IContentDefinitionManager contentDefinitionManager, + IHttpContextAccessor httpContextAccessor, + IAuthorizationService authorizationService, IServiceProvider serviceProvider ) { _contentDefinitionManager = contentDefinitionManager; + _httpContextAccessor = httpContextAccessor; + _authorizationService = authorizationService; _contentManager = contentManager; _serviceProvider = serviceProvider; } @@ -41,10 +51,24 @@ public override async Task DisplayAsync(WidgetsListPart part, Bu var contentItemDisplayManager = _serviceProvider.GetRequiredService(); + var user = _httpContextAccessor.HttpContext.User; + var widgetDefinitions = (await _contentDefinitionManager.ListWidgetTypeDefinitionsAsync()) + .ToDictionary(x => x.Name, StringComparer.OrdinalIgnoreCase); + foreach (var zone in part.Widgets.Keys) { foreach (var widget in part.Widgets[zone]) { + if (!widgetDefinitions.TryGetValue(widget.ContentType, out var definition)) + { + continue; + } + + if (definition.IsSecurable() && !await _authorizationService.AuthorizeAsync(user, CommonPermissions.ViewContent, widget)) + { + continue; + } + var layerMetadata = widget.As(); if (layerMetadata != null) diff --git a/src/OrchardCore.Themes/TheTheme/Views/FlowPart.cshtml b/src/OrchardCore.Themes/TheTheme/Views/FlowPart.cshtml index 6da45176ea2..a3b8103cdc0 100644 --- a/src/OrchardCore.Themes/TheTheme/Views/FlowPart.cshtml +++ b/src/OrchardCore.Themes/TheTheme/Views/FlowPart.cshtml @@ -1,14 +1,35 @@ +@using Microsoft.AspNetCore.Authorization @using OrchardCore.ContentManagement +@using OrchardCore.ContentManagement.Metadata +@using OrchardCore.Contents @using OrchardCore.Flows.Models @using OrchardCore.Flows.ViewModels @using OrchardCore.Mvc.Utilities +@using OrchardCore.ContentManagement.Metadata.Models @model FlowPartViewModel + @inject OrchardCore.ContentManagement.Display.IContentItemDisplayManager ContentItemDisplayManager +@inject IAuthorizationService AuthorizationService +@inject IContentDefinitionManager ContentDefinitionManager +@{ + var widgetDefinitions = (await ContentDefinitionManager.ListWidgetTypeDefinitionsAsync()) + .ToDictionary(x => x.Name, StringComparer.OrdinalIgnoreCase); +}
@foreach (var widget in Model.FlowPart.Widgets) { + if (!widgetDefinitions.TryGetValue(widget.ContentType, out var definition)) + { + continue; + } + + if (definition.IsSecurable() && !await AuthorizationService.AuthorizeAsync(User, CommonPermissions.ViewContent, widget)) + { + continue; + } + var widgetContent = await ContentItemDisplayManager.BuildDisplayAsync(widget, Model.BuildPartDisplayContext.Updater, Model.BuildPartDisplayContext.DisplayType, Model.BuildPartDisplayContext.GroupId); var flowMetadata = widget.As();