Prevent anonymous users performing GET on contentitem api (#5753)

OrchardCMS · Mar 19, 2020 · d5ff090 · d5ff090
1 parent 0872a9a
commit d5ff090
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/src/OrchardCore.Modules/OrchardCore.Contents/Controllers/ApiController.cs b/src/OrchardCore.Modules/OrchardCore.Contents/Controllers/ApiController.cs
@@ -33,7 +33,8 @@ public async Task<IActionResult> Get(string contentItemId)
                 return NotFound();
             }
 
-            if (!await _authorizationService.AuthorizeAsync(User, Permissions.ViewContent, contentItem))
+            if (!await _authorizationService.AuthorizeAsync(User, Permissions.GetApiContent) ||
+                !await _authorizationService.AuthorizeAsync(User, Permissions.ViewContent, contentItem))
             {
                 return this.ChallengeOrForbid();
             }

diff --git a/src/OrchardCore.Modules/OrchardCore.Contents/Permissions.cs b/src/OrchardCore.Modules/OrchardCore.Contents/Permissions.cs
@@ -24,6 +24,7 @@ public class Permissions : IPermissionProvider
         public static readonly Permission PreviewOwnContent = CommonPermissions.PreviewOwnContent;
         public static readonly Permission CloneContent = CommonPermissions.CloneContent;
         public static readonly Permission CloneOwnContent = CommonPermissions.CloneOwnContent;
+        public static readonly Permission GetApiContent = new Permission("GetApiContent", "View content via the api");
 
         //public static readonly Permission MetaListContent = new Permission { ImpliedBy = new[] { EditOwnContent, PublishOwnContent, DeleteOwnContent } };
 
@@ -42,7 +43,8 @@ public Task<IEnumerable<Permission>> GetPermissionsAsync()
                 PreviewOwnContent,
                 PreviewContent,
                 CloneContent,
-                CloneOwnContent
+                CloneOwnContent,
+                GetApiContent
             }
             .AsEnumerable());
         }
@@ -52,26 +54,26 @@ public IEnumerable<PermissionStereotype> GetDefaultStereotypes()
             return new[] {
                 new PermissionStereotype {
                     Name = "Administrator",
-                    Permissions = new[] {PublishContent, EditContent, DeleteContent, PreviewContent, CloneContent}
+                    Permissions = new[] {PublishContent, EditContent, DeleteContent, PreviewContent, CloneContent, GetApiContent}
                 },
                 new PermissionStereotype {
                     Name = "Editor",
-                    Permissions = new[] {PublishContent, EditContent, DeleteContent, PreviewContent, CloneContent}
+                    Permissions = new[] {PublishContent, EditContent, DeleteContent, PreviewContent, CloneContent, GetApiContent }
                 },
                 new PermissionStereotype {
                     Name = "Moderator"
                 },
                 new PermissionStereotype {
                     Name = "Author",
-                    Permissions = new[] {PublishOwnContent, EditOwnContent, DeleteOwnContent, PreviewOwnContent, CloneOwnContent}
+                    Permissions = new[] {PublishOwnContent, EditOwnContent, DeleteOwnContent, PreviewOwnContent, CloneOwnContent, GetApiContent }
                 },
                 new PermissionStereotype {
                     Name = "Contributor",
-                    Permissions = new[] {EditOwnContent, PreviewOwnContent, CloneOwnContent}
+                    Permissions = new[] {EditOwnContent, PreviewOwnContent, CloneOwnContent, GetApiContent }
                 },
                 new PermissionStereotype {
                     Name = "Authenticated",
-                    Permissions = new[] {ViewContent}
+                    Permissions = new[] {ViewContent, GetApiContent }
                 },
                 new PermissionStereotype {
                     Name = "Anonymous",