#18823: Fixing permissions inforcement in Orchard.Tags

Work Item: 18823
2025-04-05 21:01:35 +08:00 · 2012-07-18 11:13:53 -07:00 · 2012-07-18 11:13:53 -07:00 · 6cac2dec49
commit 6cac2dec49
parent 9627dd030a
1 changed files with 6 additions and 0 deletions
--- a/src/Orchard.Web/Modules/Orchard.Tags/Controllers/AdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Tags/Controllers/AdminController.cs
@ -26,6 +26,9 @@ namespace Orchard.Tags.Controllers {
        public Localizer T { get; set; }

        public ActionResult Index() {
+            if (!Services.Authorizer.Authorize(Permissions.ManageTags, T("Can't manage tags")))
+                return new HttpUnauthorizedResult();
+
            IEnumerable<TagRecord> tags = _tagService.GetTags();
            var entries = tags.Select(CreateTagEntry).ToList();
            var model = new TagsAdminIndexViewModel { Tags = entries };
@ -65,6 +68,9 @@ namespace Orchard.Tags.Controllers {
        [HttpPost, ActionName("Index")]
        [FormValueRequired("submit.Create")]
        public ActionResult IndexCreatePOST() {
+            if (!Services.Authorizer.Authorize(Permissions.ManageTags, T("Couldn't create tag")))
+                return new HttpUnauthorizedResult();
+
            var viewModel = new TagsAdminCreateViewModel();

            if (!TryUpdateModel(viewModel)) {