Open orchardbot opened 11 years ago
@jetski5822 commented:
That works however you would still have gone to the database, obtained the records and rehydrated the objects. Not very per-formant.
A better way to do it is to push out a projection and then write a security filter.
flew2bits commented:
So, are you suggesting a content permissions filter for the projections and then display that projection as a blog list shape? I think I might be able to figure that out.
@sebastienros commented:
TODO: Custom security filter
flew2bits created: https://orchard.codeplex.com/workitem/20047
I have a use case where I would like a blog to be publicly accessible, but have the option to make individual posts require an authenticated user to see. I added the content permissions part to the blog post type and created two blog posts, one without any special permissions and a second with permissions to only allow authenticated users.
The blog posts themselves work as expected. However, both blog posts appear in the blog list view. It appears the reason for this is that the Item method in BlogController.cs is not authorizing each of the blog posts it displays. An easy fix is below: var blogPosts = _blogPostService.Get(blogPart, pager.GetStartIndex(), pager.PageSize) .Where(b => _services.Authorizer.Authorize(Orchard.Core.Contents.Permissions.ViewContent, b)) .Select(b => _services.ContentManager.BuildDisplay(b, "Summary"));
By adding the Where filter, only the blog posts that a user could normally see are displayed in the summary list. Interestingly, this same thing is done for displaying the list of blogs in the List method.