search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.42k stars 2.39k forks source link

Use Permissions.ViewContent for GetEndpoint #15785

Closed infofromca closed 6 months ago

infofromca commented 6 months ago

Describe the bug

To Reproduce

Steps to reproduce the behavior:

  1. Go to 'Content GET API'

  2. See error DIFF PERMISSION in whole site

    Expected behavior

    tHIS GET API SHOULD HAVE THE SAME PERMISSION AS 👍 public async Task Display(string contentItemId, string jsonPath) { var contentItem = await _contentManager.GetAsync(contentItemId, jsonPath);

    if (contentItem == null) { return NotFound(); }

    if (!await _authorizationService.AuthorizeAsync(User, CommonPermissions.ViewContent, contentItem)) { return this.ChallengeOrForbid(); }

    var model = await _contentItemDisplayManager.BuildDisplayAsync(contentItem, this);

    return View(model); }

MikeAlhayek commented 6 months ago

Not really. We use both permissions. First we make sure you have permission to access the API. Then we check to see if you have permission to view the requested content item.