一直致力于在不同用户/角色只能查看和编辑特定内容的站点上进行一些权限/身份验证扩展。即使使用 ContentPermissions 模块,用户没有查看和编辑权限的项目仍会在 /Admin/Content/List 页面中枚举(然后当您单击它时,您会被拒绝访问)
有没有办法完全防止这种情况发生?我在源代码中进行了挖掘,看起来它在那个阶段根本没有考虑权限:
来自Orchard.Core.Contents.Controllers.AdminController.cs:
public ActionResult List(ListContentsViewModel model, PagerParameters pagerParameters) {
Pager pager = new Pager(_siteService.GetSiteSettings(), pagerParameters);
var query = _contentManager.Query(VersionOptions.Latest, GetCreatableTypes(false).Select(ctd => ctd.Name).ToArray());
if (!string.IsNullOrEmpty(model.TypeName)) {
var contentTypeDefinition = _contentDefinitionManager.GetTypeDefinition(model.TypeName);
if (contentTypeDefinition == null)
return HttpNotFound();
model.TypeDisplayName = !string.IsNullOrWhiteSpace(contentTypeDefinition.DisplayName)
? contentTypeDefinition.DisplayName
: contentTypeDefinition.Name;
query = query.ForType(model.TypeName);
}
switch (model.Options.OrderBy) {
case ContentsOrder.Modified:
//query = query.OrderByDescending<ContentPartRecord, int>(ci => ci.ContentItemRecord.Versions.Single(civr => civr.Latest).Id);
query = query.OrderByDescending<CommonPartRecord>(cr => cr.ModifiedUtc);
break;
case ContentsOrder.Published:
query = query.OrderByDescending<CommonPartRecord>(cr => cr.PublishedUtc);
break;
case ContentsOrder.Created:
//query = query.OrderByDescending<ContentPartRecord, int>(ci => ci.Id);
query = query.OrderByDescending<CommonPartRecord>(cr => cr.CreatedUtc);
break;
}
model.Options.SelectedFilter = model.TypeName;
model.Options.FilterOptions = GetCreatableTypes(false)
.Select(ctd => new KeyValuePair<string, string>(ctd.Name, ctd.DisplayName))
.ToList().OrderBy(kvp => kvp.Value);
var pagerShape = Shape.Pager(pager).TotalItemCount(query.Count());
var pageOfContentItems = query.Slice(pager.GetStartIndex(), pager.PageSize).ToList();
var list = Shape.List();
list.AddRange(pageOfContentItems.Select(ci => _contentManager.BuildDisplay(ci, "SummaryAdmin")));
dynamic viewModel = Shape.ViewModel()
.ContentItems(list)
.Pager(pagerShape)
.Options(model.Options)
.TypeDisplayName(model.TypeDisplayName ?? "");
// Casting to avoid invalid (under medium trust) reflection over the protected View method and force a static invocation.
return View((object)viewModel);
}
在任何阶段都不会检查权限。
我真的不想编辑默认的 Orchard 模块;是否还有其他我遗漏的可扩展性点,或者其他任何人的任何想法(或者我是否必须硬着头皮只编辑 AdminController?)