-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add UI permissions based on the user role #6823
Conversation
@if (String.IsNullOrWhiteSpace(returnUrl)) | ||
{ | ||
<button class="primaryAction btn btn-primary" type="submit" name="submit.Save" value="submit.Save">@T["Save Draft"]</button> | ||
} | ||
else | ||
{ | ||
<div class="btn-group"> | ||
<button class="btn btn-primary" type="submit" name="submit.Save" value="submit.Save">@T["Save Draft"]</button> | ||
<button type="button" class="btn btn-primary dropdown-toggle dropdown-toggle-split" data-reference="parent" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> | ||
<button class="btn btn-primary @((hasEditOwnContentPermission && contentItem?.Owner == User.Identity.Name) || hasEditContentPermission ? String.Empty : "disabled")" type="submit" name="submit.Save" value="submit.Save">@T["Save Draft"]</button> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not quite sure why the Model.ContentItem
is null
@hishamco I'm afraid this is not the correct solution. The issue, as I explained to you on your last pr related to this, starts as a problem with the content type filter, which is designed to only list content types for which the user has the The bug, or issue, is that when the filter is finds no editable content types, it is currently falling back to listing all content types. That is the issue to resolve, and following that the issue would be how could a contributor list their own content. One of the answers to that, is that they can't, and the role maybe more intended as a permission for contributors contributing via live writer, or other entry points to the system. Note: This is how it was in O1 as well |
This is another issue, I started with the issue that raise during the demo of @agriffard last two weeks when he publish a content and got 404, then after checking the roles permissions I realize there is no issue with that, except the UI permissions so that's why I point to that in the original issue I think we need to change the issue's title to avoid misunderstanding |
We need to open another PR for the issue that you mentioned |
Ok maybe they are seperate issues. Could you read the comments in the code on how to check for content permissions. This is not the correct way |
Yep, this is another one, I remembered the one that you meant, there is an open PR that needs a revise
Which comments do you mean? If I'm not wrong |
src/OrchardCore.Modules/OrchardCore.Contents/Views/Content.PublishButton.cshtml
Outdated
Show resolved
Hide resolved
It's not clear what this PR is trying to fix, it seems unrelated to the issue that is linked. Can you open an issue and describe it? |
Sure |
src/OrchardCore.Modules/OrchardCore.Contents/Views/Contents-Button-Actions.SummaryAdmin.cshtml
Show resolved
Hide resolved
<div class="form-group"> | ||
<div class="btn-group"> | ||
@if (Model.CreatableTypes.Any()) | ||
{ | ||
ContentItem contentItem = await ContentManager.NewAsync(Model.CreatableTypes?.First().Value); | ||
var hasEditContentPermission = await AuthorizationService.AuthorizeAsync(User, OrchardCore.Contents.Permissions.EditContent, contentItem); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this check should have already happened in the controller, and it shouldn't be in the CreatableTypes
list.
If it isn't happening in the controller it should.
It would also have to happen on every type, not just the first one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems the check was there before I added my changes, I will remove it then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The list of CreatableTypes should just not contain the ones you can't create. And even that is a minor issue IMO if that complexifies the code too much (or make it too slow).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code you've added needs to be in the controller, or not at all
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@deanmarcussen AFAIK when the permission is not applied in the controller we returns Forbid
, so in this case how can I check the permission If I move it to the controller?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See where the list is being created
OrchardCore/src/OrchardCore.Modules/OrchardCore.Contents/Controllers/AdminController.cs
Line 126 in c8e7ea5
creatableList.Add(new SelectListItem(new LocalizedString(contentTypeDefinition.DisplayName, contentTypeDefinition.DisplayName).Value, contentTypeDefinition.Name)); |
OrchardCore/src/OrchardCore.Modules/OrchardCore.Contents/Controllers/AdminController.cs
Line 163 in c8e7ea5
var authorized = await _authorizationService.AuthorizeAsync(User, Permissions.EditContent, await _contentManager.NewAsync(ctd.Name)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't dig into the code before, it's seems the check is already there, so I remove the one in the view
src/OrchardCore.Modules/OrchardCore.Contents/Views/Contents-Button-Actions.SummaryAdmin.cshtml
Outdated
Show resolved
Hide resolved
src/OrchardCore.Modules/OrchardCore.Contents/Views/Content.SummaryAdmin.cshtml
Outdated
Show resolved
Hide resolved
b43c294
to
a637029
Compare
a637029
to
0a06083
Compare
@if (hasPublished) | ||
{ | ||
<a display-for="@contentItem" class="btn btn-success btn-sm" itemprop="">@T["View"]</a> | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strange!! let me check again ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nah!! the condition get copied twice during merge conflict
var returnUrl = Context.Request.Query["returnUrl"]; | ||
var hasPublishContentPermission = await AuthorizationService.AuthorizeAsync(User, OrchardCore.Contents.Permissions.PublishContent, contentItem); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PublishOwnContent. These permissions are not taking in consideration when we want to use PublishOwn or EditOwn they need to be changed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These permissions are not taking in consideration when we want to use PublishOwn or EditOwn
Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Skrypt code is good here I think. a PublishContent permission request is morphed to PublishOwn. You shouldn't request PublishOwn directly (see comments in CommonPermissions)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't work if you have set a PublishOwn_ContentTypeName permission which is dynamic. So the issue is that the PR makes it impossible to have a role that has Publish/Edit/Delete own permission on a single custom content type. I have a PR coming up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -57,3 +57,15 @@ | |||
{ | |||
<div class="col primary">@await DisplayAsync(Model.Content)</div> | |||
} | |||
|
|||
<script at="Foot" type="text/javascript"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use a named script with a class selector ? Instead of having tons of instances of this code on the page ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@netwavebe already fixed it @jptissot exactly as you suggested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah cool, I did not realize this was an old pr :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It got merged to dev a few days ago. See #7070
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @netwavebe :)
ContentsDriver.Edit ContentItem contentItem = Model.ContentItem; Model.ContentItem is null |
@Skrypt can you please check this in your PR? |
The ContentItem passed to the ContentTypeAuthorizationHandler can sometimes be null but in this case here it's not supposed to. In the ContentsDriver it assumes that it renders a ContentItem already. If the ContentItem == null then the ContentTypeAuthorizationHandler will simply return the previous Auth result without processing anything further. I looked last night and ContentTypeAuthorizationHandler is fine. Though here if the ContentItem == null then the ContentDriver should throw an exception and it's a different issue I think. |
Yes please PR has moved to #7104 now. |
Is it regression bug or something else related? |
This PR fixes one part of the issues. I think we fixed both the same issues in 2 different PR's. Mine is going one step further by introducing 2 new permissions for the admin UI. I'm not sure it's a regression. I think the issue was there since a while and adding the permissions on the buttons just revealed the underlying issue. |
Fixes #6847