在不同用户/角色只能查看和编辑特定内容的网站上处理某些权限/身份验证扩展。即使在使用ContentPermissions模块时,仍然会在/ Admin / Content / List页面中枚举用户没有查看和编辑权限的项目(然后当您单击它时,您将被拒绝访问)
有没有办法防止这种情况发生?我在源代码中进行了挖掘,看起来并不像在那个阶段需要考虑权限一样:
来自 Orchard.Core.Contents.Controllers.AdminController.cs :
public ActionResult List(ListContentsViewModel model, PagerParameters pagerParameters) {
Pager pager = new Pager(_siteService.GetSiteSettings(), pagerParameters);
var query = _contentManager.Query(VersionOptions.Latest, GetCreatableTypes(false).Select(ctd => ctd.Name).ToArray());
if (!string.IsNullOrEmpty(model.TypeName)) {
var contentTypeDefinition = _contentDefinitionManager.GetTypeDefinition(model.TypeName);
if (contentTypeDefinition == null)
return HttpNotFound();
model.TypeDisplayName = !string.IsNullOrWhiteSpace(contentTypeDefinition.DisplayName)
? contentTypeDefinition.DisplayName
: contentTypeDefinition.Name;
query = query.ForType(model.TypeName);
}
switch (model.Options.OrderBy) {
case ContentsOrder.Modified:
//query = query.OrderByDescending<ContentPartRecord, int>(ci => ci.ContentItemRecord.Versions.Single(civr => civr.Latest).Id);
query = query.OrderByDescending<CommonPartRecord>(cr => cr.ModifiedUtc);
break;
case ContentsOrder.Published:
query = query.OrderByDescending<CommonPartRecord>(cr => cr.PublishedUtc);
break;
case ContentsOrder.Created:
//query = query.OrderByDescending<ContentPartRecord, int>(ci => ci.Id);
query = query.OrderByDescending<CommonPartRecord>(cr => cr.CreatedUtc);
break;
}
model.Options.SelectedFilter = model.TypeName;
model.Options.FilterOptions = GetCreatableTypes(false)
.Select(ctd => new KeyValuePair<string, string>(ctd.Name, ctd.DisplayName))
.ToList().OrderBy(kvp => kvp.Value);
var pagerShape = Shape.Pager(pager).TotalItemCount(query.Count());
var pageOfContentItems = query.Slice(pager.GetStartIndex(), pager.PageSize).ToList();
var list = Shape.List();
list.AddRange(pageOfContentItems.Select(ci => _contentManager.BuildDisplay(ci, "SummaryAdmin")));
dynamic viewModel = Shape.ViewModel()
.ContentItems(list)
.Pager(pagerShape)
.Options(model.Options)
.TypeDisplayName(model.TypeDisplayName ?? "");
// Casting to avoid invalid (under medium trust) reflection over the protected View method and force a static invocation.
return View((object)viewModel);
}
在任何阶段都不会检查权限。
我真的不想编辑默认的Orchard模块;是否有任何其他可扩展性点,我缺少,或任何其他人的想法(或者我必须咬紧牙关只是编辑AdminController?)