2

一直致力于在不同用户/角色只能查看和编辑特定内容的站点上进行一些权限/身份验证扩展。即使使用 ContentPermissions 模块,用户没有查看和编辑权限的项目仍会在 /Admin/Content/List 页面中枚举(然后当您单击它时,您会被拒绝访问)

有没有办法完全防止这种情况发生?我在源代码中进行了挖掘,看起来它在那个阶段根本没有考虑权限:

来自Orchard.Core.Contents.Controllers.AdminController.cs

public ActionResult List(ListContentsViewModel model, PagerParameters pagerParameters) {
        Pager pager = new Pager(_siteService.GetSiteSettings(), pagerParameters);

        var query = _contentManager.Query(VersionOptions.Latest, GetCreatableTypes(false).Select(ctd => ctd.Name).ToArray());

        if (!string.IsNullOrEmpty(model.TypeName)) {
            var contentTypeDefinition = _contentDefinitionManager.GetTypeDefinition(model.TypeName);
            if (contentTypeDefinition == null)
                return HttpNotFound();

            model.TypeDisplayName = !string.IsNullOrWhiteSpace(contentTypeDefinition.DisplayName)
                                        ? contentTypeDefinition.DisplayName
                                        : contentTypeDefinition.Name;
            query = query.ForType(model.TypeName);
        }

        switch (model.Options.OrderBy) {
            case ContentsOrder.Modified:
                //query = query.OrderByDescending<ContentPartRecord, int>(ci => ci.ContentItemRecord.Versions.Single(civr => civr.Latest).Id);
                query = query.OrderByDescending<CommonPartRecord>(cr => cr.ModifiedUtc);
                break;
            case ContentsOrder.Published:
                query = query.OrderByDescending<CommonPartRecord>(cr => cr.PublishedUtc);
                break;
            case ContentsOrder.Created:
                //query = query.OrderByDescending<ContentPartRecord, int>(ci => ci.Id);
                query = query.OrderByDescending<CommonPartRecord>(cr => cr.CreatedUtc);
                break;
        }

        model.Options.SelectedFilter = model.TypeName;
        model.Options.FilterOptions = GetCreatableTypes(false)
            .Select(ctd => new KeyValuePair<string, string>(ctd.Name, ctd.DisplayName))
            .ToList().OrderBy(kvp => kvp.Value);

        var pagerShape = Shape.Pager(pager).TotalItemCount(query.Count());
        var pageOfContentItems = query.Slice(pager.GetStartIndex(), pager.PageSize).ToList();

        var list = Shape.List();
        list.AddRange(pageOfContentItems.Select(ci => _contentManager.BuildDisplay(ci, "SummaryAdmin")));

        dynamic viewModel = Shape.ViewModel()
            .ContentItems(list)
            .Pager(pagerShape)
            .Options(model.Options)
            .TypeDisplayName(model.TypeDisplayName ?? "");

        // Casting to avoid invalid (under medium trust) reflection over the protected View method and force a static invocation.
        return View((object)viewModel);
    }

在任何阶段都不会检查权限。

我真的不想编辑默认的 Orchard 模块;是否还有其他我遗漏的可扩展性点,或者其他任何人的任何想法(或者我是否必须硬着头皮只编辑 AdminController?)

4

0 回答 0