New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix blogging module post detail page permission check. #3099

Closed

gdlcf88 wants to merge 8 commits into abpframework:dev from gdlcf88:fix-blogging-detail-page

Contributor

gdlcf88 commented Mar 12, 2020

gdlcf88 and others added 6 commits

December 6, 2019 11:39


          Merge pull request #4 from abpframework/dev

865d536

update


          Merge pull request #5 from abpframework/dev

8fe9efe

update


          Merge pull request #6 from abpframework/dev

784a7d6

Update


          Fix update/delete creator authority check.

c63a7ab


          Add missing CurrentUser.Id not null checks.

99d485b


          Fix creation permission check.

a6d4a0d

gdlcf88 changed the title ~~Fix blogging post detail page~~ Fix blogging module post detail page

Member

maliming commented Mar 13, 2020 •

edited

Loading

Can you resolve the conflict?

Conflicting files

modules/blogging/src/Volo.Blogging.Web/Pages/Blog/Posts/Detail.cshtml

maliming added this to the 2.3 milestone

maliming self-requested a review

March 13, 2020 02:45

maliming added abp-module-blogging enhancement labels

Contributor Author

gdlcf88 commented Mar 13, 2020

I will do it.

gdlcf88 added 2 commits

March 13, 2020 11:12


          Merge branch 'dev' of https://github.com/gdlcf88/abp into fix-bloggin…

c59e27b

…g-detail-page


          Restore redundant changes.

Contributor Author

gdlcf88 commented Mar 13, 2020

Done.

gdlcf88 changed the title ~~Fix blogging module post detail page~~ Fix blogging module post detail page permission check.

maliming reviewed

View reviewed changes

Member

maliming left a comment

When hasCommentingPermission is false, a link in the page will redirect the user to the login page.
We should handle this situation. It may be not logged in or without permissions.

modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

Comment on lines +67 to 68

		@if (await Authorization.IsGrantedAsync(BloggingPermissions.Posts.Delete))
		{

Member

maliming Mar 13, 2020

Users are not allowed to delete their own Posts?

abp/modules/blogging/src/Volo.Blogging.Application/Volo/Blogging/Posts/PostAuthorizationHandler.cs

Line 38 in b0adb9f

    
           if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId())

Contributor Author

gdlcf88 Mar 13, 2020

Users are not allowed to delete their own Posts?

abp/modules/blogging/src/Volo.Blogging.Application/Volo/Blogging/Posts/PostAuthorizationHandler.cs

Line 38 in b0adb9f

if (resource.CreatorId != null && resource.CreatorId == context.User.FindUserId())

Sorry, my branch missed this commit:
b0adb9f#diff-e461a1b98fc07088163606c19001917c

Member

maliming Mar 13, 2020

You can merge dev into your branch.

modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

@@ @@ -57,14 +57,14 @@ @@
                                                               <i class="fa fa-comment"></i> @L["CommentWithCount", @Model.CommentCount]
-                                                              @if (await Authorization.IsGrantedAsync(BloggingPermissions.Posts.Update))
+                                                              @if (await Authorization.IsGrantedAsync(BloggingPermissions.Posts.Update) || (CurrentUser.Id.HasValue && CurrentUser.Id == Model.Post.CreatorId))

Member

maliming Mar 13, 2020

(CurrentUser.Id.HasValue && CurrentUser.Id == Model.Post.CreatorId) can be CurrentUser.Id == Model.Post.CreatorId

modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

                                                       {
                                                           <span class="seperator">|</span>
                                                           <a href="#" class="tag deleteLink" data-deleteid="@commentWithRepliesDto.Comment.Id">
                                                               <i class="fa fa-trash" aria-hidden="true"></i> @L["Delete"]
                                                           </a>
                                                       }
-                                                      @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Update) || (CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))
+                                                      @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Update) || (CurrentUser.Id.HasValue && CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))

Member

maliming Mar 13, 2020

Can be CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId

modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

@@ @@ -200,7 +200,7 @@ @@
                                                           </div>
                                                       </div>
                                                   }
-                                                  @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Update) || (CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))
+                                                  @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Update) || (CurrentUser.Id.HasValue && CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))

Member

maliming Mar 13, 2020

Can be CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId

modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

                                                                   {
                                                                       <span class="seperator">|</span>
                                                                       <a href="#" class="tag deleteLink" data-deleteid="@reply.Id">
                                                                           <i class="fa fa-trash" aria-hidden="true"></i> @L["Delete"]
                                                                       </a>
                                                                   }
-                                                                  @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Update) || (CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))
+                                                                  @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Update) || (CurrentUser.Id.HasValue && CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))

Member

maliming Mar 13, 2020

Can be CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId

modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

@@ @@ -276,7 +276,7 @@ @@
                                                                       </div>
                                                                   </div>
                                                               }
-                                                              @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Update) || (CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))
+                                                              @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Update) || (CurrentUser.Id.HasValue && CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))

Member

maliming Mar 13, 2020

Can be CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId

yekalkan reviewed

View reviewed changes

modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

@@ @@ -238,15 +238,15 @@ @@
                                                                           <i class="fa fa-reply" aria-hidden="true"></i> @L["Reply"]
                                                                       </a>
                                                                   }
-                                                                  @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Delete) || (CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))

Member

yekalkan Mar 13, 2020

Why did you remove CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId?

Contributor Author

gdlcf88 Mar 13, 2020

I forgot to merge the latest branch since the creator check was added into AuthorizationHandler 4 days ago. 😅

yekalkan reviewed

View reviewed changes

modules/blogging/src/Volo.Blogging.Web/Pages/Blogs/Posts/Detail.cshtml

@@ @@ -160,15 +160,15 @@ @@
                                                           </a>
                                                       }
-                                                      @if (await Authorization.IsGrantedAsync(BloggingPermissions.Comments.Delete) || (CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId))

Member

yekalkan Mar 13, 2020

Why did you remove CurrentUser.Id == commentWithRepliesDto.Comment.CreatorId?

gdlcf88 closed this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

abp-module-blogging enhancement