Blogging post detail page may have wrong creator authority check.

[gdlcf88]

abp/modules/blogging/src/Volo.Blogging.Application/Volo/Blogging/Posts/PostAuthorizationHandler.cs

Lines 36 to 59 in 42f37c5

	private async Task<bool> HasDeletePermission(AuthorizationHandlerContext context, Post resource)
	{
	if (await _permissionChecker.IsGrantedAsync(context.User, BloggingPermissions.Posts.Delete))
	{
	return true;
	}
	return false;
	}
	private async Task<bool> HasUpdatePermission(AuthorizationHandlerContext context, Post resource)
	{
	if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId())
	{
	return true;
	}
	if (await _permissionChecker.IsGrantedAsync(context.User, BloggingPermissions.Posts.Update))
	{
	return true;
	}
	return false;
	}

abp/modules/blogging/src/Volo.Blogging.Application/Volo/Blogging/Comments/CommentAuthorizationHandler.cs

Lines 36 to 59 in 42f37c5

	private async Task<bool> HasDeletePermission(AuthorizationHandlerContext context, Comment resource)
	{
	if (await _permissionChecker.IsGrantedAsync(context.User, BloggingPermissions.Comments.Delete))
	{
	return true;
	}
	return false;
	}
	private async Task<bool> HasUpdatePermission(AuthorizationHandlerContext context, Comment resource)
	{
	if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId())
	{
	return true;
	}
	if (await _permissionChecker.IsGrantedAsync(context.User, BloggingPermissions.Comments.Update))
	{
	return true;
	}
	return false;
	}

It seems that users cannot delete their own posts/comments, but in the detail page I found:

abp/modules/blogging/src/Volo.Blogging.Web/Pages/Blog/Posts/Detail.cshtml

Lines 70 to 83 in 42f37c5

	@if (await Authorization.IsGrantedAsync(BloggingPermissions.Posts.Update))
	{
	<span class="seperator">|</span>
	<a asp-page="./Edit" asp-route-postId="@Model.Post.Id" asp-route-blogShortName="@Model.BlogShortName">
	<i class="fa fa-pencil"></i> @L["Edit"]
	</a>
	}
	@if (await Authorization.IsGrantedAsync(BloggingPermissions.Posts.Delete) || (CurrentUser.Id == Model.Post.CreatorId))
	{
	<span class="seperator">|</span>
	<a href="#" id="DeletePostLink" data-postid="@Model.Post.Id" data-blogShortName="@Model.BlogShortName">
	<i class="fa fa-trash"></i> @L["Delete"]
	</a>
	}

abp/modules/blogging/src/Volo.Blogging.Web/Pages/Blog/Posts/Detail.cshtml

Lines 235 to 241 in 42f37c5

	@if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Delete) || (CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))
	{
	<span class="seperator">|</span>
	<a href="#" class="tag deleteLink" data-deleteid="@reply.Id">
	<i class="fa fa-trash" aria-hidden="true"></i> @L["Delete"]
	</a>
	}

[gdlcf88]

I will close this issue, the problem seems to have been fixed by this commit:
b0adb9f

Hi @yekalkan , maybe this todo needs to be completed:

abp/modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

Line 13 in 21ecea0

var hasCommentingPermission = CurrentUser.IsAuthenticated; //TODO: Apply real policy!