Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Permissions.ViewContent for GetEndpoint #15786

Closed
wants to merge 2 commits into from
Closed

Use Permissions.ViewContent for GetEndpoint #15786

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
51a1c19
Use Permissions.ViewContent for GetEndpoint
infofromca Apr 18, 2024
fa9833b
allow Anonymous to Get Content
infofromca Apr 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/OrchardCore.Modules/OrchardCore.Contents/Endpoints/Api/GetEndpoint.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ private static async Task<IResult> HandleAsync(
IAuthorizationService authorizationService,
HttpContext httpContext)
{
if (!await authorizationService.AuthorizeAsync(httpContext.User, Permissions.AccessContentApi))
if (!await authorizationService.AuthorizeAsync(httpContext.User, Permissions.ViewContent))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Permissions.AccessContentApi permission is the valid check here and should not be changed. Checking for Permissions.ViewContent is done on line 41

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, on line 41 there is. so i think we should not need:
if (!await authorizationService.AuthorizeAsync(httpContext.User, Permissions.AccessContentApi))
{
return httpContext.ChallengeOrForbid("Api");
}
otherwise, for Anonymous , the will never hit line 41

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes and they should not hit line 41 by default. If you want Anonymous role to do that, then grant Anonymous role permission to AccessContentApi

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but AccessContentApi were assgined to create and delete too.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes that is the idea. Granting them Anonymous to AccessContentApi is not a good idea. but if you want you can grant AccessContentApi to viewContent but not create, delete or publish this way they can only view content via API too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we give out good default values for the site. especially if we need automatically set up the site.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can control the default values in your recipes. There isn't anything in OC that should be change here

{
return httpContext.ChallengeOrForbid("Api");
}
Expand Down