Add UI permissions based on the user role #6823
Conversation
| @if (String.IsNullOrWhiteSpace(returnUrl)) | ||
| { | ||
| <button class="primaryAction btn btn-primary" type="submit" name="submit.Save" value="submit.Save">@T["Save Draft"]</button> | ||
| } | ||
| else | ||
| { | ||
| <div class="btn-group"> | ||
| <button class="btn btn-primary" type="submit" name="submit.Save" value="submit.Save">@T["Save Draft"]</button> | ||
| <button type="button" class="btn btn-primary dropdown-toggle dropdown-toggle-split" data-reference="parent" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> | ||
| <button class="btn btn-primary @((hasEditOwnContentPermission && contentItem?.Owner == User.Identity.Name) || hasEditContentPermission ? String.Empty : "disabled")" type="submit" name="submit.Save" value="submit.Save">@T["Save Draft"]</button> |
There was a problem hiding this comment.
I'm not quite sure why the Model.ContentItem is null
|
@hishamco I'm afraid this is not the correct solution. The issue, as I explained to you on your last pr related to this, starts as a problem with the content type filter, which is designed to only list content types for which the user has the The bug, or issue, is that when the filter is finds no editable content types, it is currently falling back to listing all content types. That is the issue to resolve, and following that the issue would be how could a contributor list their own content. One of the answers to that, is that they can't, and the role maybe more intended as a permission for contributors contributing via live writer, or other entry points to the system. Note: This is how it was in O1 as well |
This is another issue, I started with the issue that raise during the demo of @agriffard last two weeks when he publish a content and got 404, then after checking the roles permissions I realize there is no issue with that, except the UI permissions so that's why I point to that in the original issue I think we need to change the issue's title to avoid misunderstanding |
|
We need to open another PR for the issue that you mentioned |
|
Ok maybe they are seperate issues. Could you read the comments in the code on how to check for content permissions. This is not the correct way |
Yep, this is another one, I remembered the one that you meant, there is an open PR that needs a revise
Which comments do you mean? If I'm not wrong |
src/OrchardCore.Modules/OrchardCore.Contents/Views/Content.PublishButton.cshtml
Outdated
Show resolved
Hide resolved
|
It's not clear what this PR is trying to fix, it seems unrelated to the issue that is linked. Can you open an issue and describe it? |
|
Sure |
src/OrchardCore.Modules/OrchardCore.Contents/Views/Contents-Button-Actions.SummaryAdmin.cshtml
Show resolved
Hide resolved
| <div class="form-group"> | ||
| <div class="btn-group"> | ||
| @if (Model.CreatableTypes.Any()) | ||
| { | ||
| ContentItem contentItem = await ContentManager.NewAsync(Model.CreatableTypes?.First().Value); | ||
| var hasEditContentPermission = await AuthorizationService.AuthorizeAsync(User, OrchardCore.Contents.Permissions.EditContent, contentItem); |
There was a problem hiding this comment.
this check should have already happened in the controller, and it shouldn't be in the CreatableTypes list.
If it isn't happening in the controller it should.
It would also have to happen on every type, not just the first one
There was a problem hiding this comment.
Seems the check was there before I added my changes, I will remove it then
There was a problem hiding this comment.
The list of CreatableTypes should just not contain the ones you can't create. And even that is a minor issue IMO if that complexifies the code too much (or make it too slow).
There was a problem hiding this comment.
This code you've added needs to be in the controller, or not at all
There was a problem hiding this comment.
@deanmarcussen AFAIK when the permission is not applied in the controller we returns Forbid, so in this case how can I check the permission If I move it to the controller?
There was a problem hiding this comment.
See where the list is being created
There was a problem hiding this comment.
I didn't dig into the code before, it's seems the check is already there, so I remove the one in the view
src/OrchardCore.Modules/OrchardCore.Contents/Views/Contents-Button-Actions.SummaryAdmin.cshtml
Outdated
Show resolved
Hide resolved
src/OrchardCore.Modules/OrchardCore.Contents/Views/Content.SummaryAdmin.cshtml
Outdated
Show resolved
Hide resolved
hishamco
force-pushed
the
hishamco/ui-permissions
branch
from
b43c294
to
a637029
Compare
hishamco
force-pushed
the
hishamco/ui-permissions
branch
from
a637029
to
0a06083
Compare
| @if (hasPublished) | ||
| { | ||
| <a display-for="@contentItem" class="btn btn-success btn-sm" itemprop="">@T["View"]</a> | ||
| } |
There was a problem hiding this comment.
Strange!! let me check again ...
There was a problem hiding this comment.
Nah!! the condition get copied twice during merge conflict
| var returnUrl = Context.Request.Query["returnUrl"]; | ||
| var hasPublishContentPermission = await AuthorizationService.AuthorizeAsync(User, OrchardCore.Contents.Permissions.PublishContent, contentItem); |
There was a problem hiding this comment.
PublishOwnContent. These permissions are not taking in consideration when we want to use PublishOwn or EditOwn they need to be changed.
There was a problem hiding this comment.
These permissions are not taking in consideration when we want to use PublishOwn or EditOwn
Why?
There was a problem hiding this comment.
@Skrypt code is good here I think. a PublishContent permission request is morphed to PublishOwn. You shouldn't request PublishOwn directly (see comments in CommonPermissions)
There was a problem hiding this comment.
It doesn't work if you have set a PublishOwn_ContentTypeName permission which is dynamic. So the issue is that the PR makes it impossible to have a role that has Publish/Edit/Delete own permission on a single custom content type. I have a PR coming up.
There was a problem hiding this comment.
| @@ -57,3 +57,15 @@ | |||
| { | |||
| <div class="col primary">@await DisplayAsync(Model.Content)</div> | |||
| } | |||
|
|
|||
| <script at="Foot" type="text/javascript"> | |||
There was a problem hiding this comment.
Why not use a named script with a class selector ? Instead of having tons of instances of this code on the page ?
There was a problem hiding this comment.
@netwavebe already fixed it @jptissot exactly as you suggested.
There was a problem hiding this comment.
Ah cool, I did not realize this was an old pr :)
There was a problem hiding this comment.
It got merged to dev a few days ago. See #7070
|
ContentsDriver.Edit ContentItem contentItem = Model.ContentItem; Model.ContentItem is null |
|
@Skrypt can you please check this in your PR? |
|
The ContentItem passed to the ContentTypeAuthorizationHandler can sometimes be null but in this case here it's not supposed to. In the ContentsDriver it assumes that it renders a ContentItem already. If the ContentItem == null then the ContentTypeAuthorizationHandler will simply return the previous Auth result without processing anything further. I looked last night and ContentTypeAuthorizationHandler is fine. Though here if the ContentItem == null then the ContentDriver should throw an exception and it's a different issue I think. |
|
Yes please PR has moved to #7104 now. |
|
Is it regression bug or something else related? |
|
This PR fixes one part of the issues. I think we fixed both the same issues in 2 different PR's. Mine is going one step further by introducing 2 new permissions for the admin UI. I'm not sure it's a regression. I think the issue was there since a while and adding the permissions on the buttons just revealed the underlying issue. |
Fixes #6847