search

VirtoCommerce / vc-platform

Virto Commerce B2B Innovation Platform
https://virtocommerce.com
Other
1.23k stars 845 forks source link

Content module doesn't check scope based permissions when creating and deleting pages #1021

Open Woland2k opened 7 years ago

Woland2k commented 7 years ago

Need to check scope user permissions for a particular store when creating pages.

As a manager, I want to manage permissions to Create, Update or Delete pages

tatarincev commented 7 years ago

In content module need to support only one scope is Store Here is example how to work with scope based permissions https://github.com/VirtoCommerce/vc-module-store/blob/master/VirtoCommerce.StoreModule.Web/Controllers/Api/StoreModuleController.cs#L233

tatarincev commented 7 years ago

Did you test what you made? Any content permissions does not contains scope definition UI All methods have [CheckPermission(Permission = ContentPredefinedPermissions.XXXX)] attribute which will always throw 401 exception for customer without global permission.

tatarincev commented 7 years ago

See how it made in order module: https://github.com/VirtoCommerce/vc-module-order/blob/master/VirtoCommerce.OrderModule.Web/Security/OrderStoreScope.cs https://github.com/VirtoCommerce/vc-module-order/blob/master/VirtoCommerce.OrderModule.Web/Scripts/order.js#L352