Added helper method for filtering the Sitemap for the current user. F…

…ixes #1262
PiranhaCMS · Jul 2, 2020 · 83a84f8 · 83a84f8
1 parent bf859f3
commit 83a84f8
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 2 deletions.
diff --git a/core/Piranha.AspNetCore/AspNetCoreSecurityExtensions.cs b/core/Piranha.AspNetCore/AspNetCoreSecurityExtensions.cs
@@ -9,10 +9,15 @@
  */
 
 using System;
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.DependencyInjection;
 using Piranha;
 using Piranha.AspNetCore.Security;
+using Piranha.Models;
 
 /// <summary>
 /// Security extensions for simplifying authorization in
@@ -47,4 +52,45 @@ public static IApplicationBuilder UseSecurityMiddleware(this IApplicationBuilder
     {
         return builder.UseMiddleware<Piranha.AspNetCore.Security.SecurityMiddleware>();
     }
+
+    /// <summary>
+    /// Filters the current sitemap collection to only include the items the
+    /// current user has access to. Please note that this only filters the
+    /// current collection, it doesn't filter the entire strucure.
+    /// </summary>
+    /// <param name="sitemap">The sitemap items</param>
+    /// <param name="user">The current user</param>
+    /// <param name="auth">The authorization service</param>
+    /// <returns>The filtered collection</returns>
+    public static async Task<IEnumerable<SitemapItem>> ForUserAsync(this IEnumerable<SitemapItem> sitemap, ClaimsPrincipal user, IAuthorizationService auth)
+    {
+        var result = new Sitemap();
+
+        foreach (var item in sitemap)
+        {
+            if (item.Permissions.Count == 0)
+            {
+                result.Add(item);
+            }
+            else
+            {
+                var success = true;
+
+                foreach (var permission in item.Permissions)
+                {
+                    if (!(await auth.AuthorizeAsync(user, permission)).Succeeded)
+                    {
+                        success = false;
+                        break;
+                    }
+                }
+
+                if (success)
+                {
+                    result.Add(item);
+                }
+            }
+        }
+        return result;
+    }
 }
diff --git a/core/Piranha/Models/SitemapItem.cs b/core/Piranha/Models/SitemapItem.cs
@@ -9,6 +9,7 @@
  */
 
 using System;
+using System.Collections.Generic;
 
 namespace Piranha.Models
 {
@@ -87,6 +88,11 @@ public string MenuTitle
         /// </summary>
         public DateTime LastModified { get; set; }
 
+        /// <summary>
+        /// Gets/sets the permissions needed to access the page.
+        /// </summary>
+        public IList<string> Permissions { get; set; } = new List<string>();
+
         /// <summary>
         /// Default constructor.
         /// </summary>

diff --git a/data/Piranha.Data.EF/Module.cs b/data/Piranha.Data.EF/Module.cs
@@ -9,6 +9,7 @@
  */
 
 using System;
+using System.Linq;
 using AutoMapper;
 using Piranha.Extend;
 
@@ -99,7 +100,8 @@ static Module()
                     .ForMember(p => p.Level, o => o.Ignore())
                     .ForMember(p => p.Items, o => o.Ignore())
                     .ForMember(p => p.PageTypeName, o => o.Ignore())
-                    .ForMember(p => p.Permalink, o => o.MapFrom(d => !d.ParentId.HasValue && d.SortOrder == 0 ? "/" : "/" + d.Slug));
+                    .ForMember(p => p.Permalink, o => o.MapFrom(d => !d.ParentId.HasValue && d.SortOrder == 0 ? "/" : "/" + d.Slug))
+                    .ForMember(p => p.Permissions, o => o.MapFrom(d => d.Permissions.Select(dp => dp.Permission).ToList()));
                 cfg.CreateMap<Data.Param, Data.Param>()
                     .ForMember(p => p.Id, o => o.Ignore())
                     .ForMember(p => p.Created, o => o.Ignore());

diff --git a/data/Piranha.Data.EF/Repositories/SiteRepository.cs b/data/Piranha.Data.EF/Repositories/SiteRepository.cs
@@ -219,6 +219,7 @@ public async Task<T> GetContentById<T>(Guid id) where T : Models.SiteContent<T>
         {
             var pages = await _db.Pages
                 .AsNoTracking()
+                .Include(p => p.Permissions)
                 .Where(p => p.SiteId == id)
                 .OrderBy(p => p.ParentId)
                 .ThenBy(p => p.SortOrder)

diff --git a/examples/RazorWeb/Pages/Shared/Partial/_Menu.cshtml b/examples/RazorWeb/Pages/Shared/Partial/_Menu.cshtml
@@ -1,3 +1,5 @@
+@inject Microsoft.AspNetCore.Authorization.IAuthorizationService Auth
+
 <nav class="navbar navbar-expand-md">
     <div class="navbar-brand">
         <a href="https://twitter.com/piranhacms" target="blank"><img src="~/assets/img/twitter.png"></a>
@@ -9,7 +11,7 @@
     <div class="navbar-collapse collapse" id="mobileNavbar">
         <ul class="justify-content-center navbar-nav mr-auto">
 
-            @foreach (var item in WebApp.Site.Sitemap)
+            @foreach (var item in await WebApp.Site.Sitemap.ForUserAsync(User, Auth))
             {
                 if (!item.IsHidden)
                 {