workflow trimming driver should check auth on edit #16592

deanmarcussen · 2024-08-20T19:59:18Z

just saw this in our code when I was fixing something else. can't 100% remember, but aren't the site drivers supposed to check permissions in the edit method as well.

    public override IDisplayResult Edit(ISite site, WorkflowTrimmingSettings settings, BuildEditorContext context)
    {
<!-- supposed to check auth here as well -->
        return Initialize<WorkflowTrimmingViewModel>("WorkflowTrimming_Fields_Edit", async model =>
        {
            model.RetentionDays = settings.RetentionDays;
            model.LastRunUtc = (await _workflowTrimmingStateDocumentManager.GetOrCreateImmutableAsync()).LastRunUtc;
            model.Disabled = settings.Disabled;

            foreach (var status in settings.Statuses ?? [])
            {
                model.Statuses.Single(statusItem => statusItem.Status == status).IsSelected = true;
            }
        }).Location("Content:5")
        .OnGroup(GroupId);
    }

    public override async Task<IDisplayResult> UpdateAsync(ISite site, WorkflowTrimmingSettings settings, UpdateEditorContext context)
    {
        if (!await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext?.User, Permissions.ManageWorkflowSettings))
        {
            return null;
        }

The text was updated successfully, but these errors were encountered:

deanmarcussen added the bug 🐛 label Aug 20, 2024

hishamco mentioned this issue Aug 20, 2024

Add permission check in edit WorkflowTrimmingDisplayDriver #16593

Merged

hishamco closed this as completed in #16593 Aug 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

workflow trimming driver should check auth on edit #16592

workflow trimming driver should check auth on edit #16592

deanmarcussen commented Aug 20, 2024

workflow trimming driver should check auth on edit #16592

workflow trimming driver should check auth on edit #16592

Comments

deanmarcussen commented Aug 20, 2024