private bool CheckPostsSaveRoles(AdminPostSave postSave, Post editedPost, ApplicationUser newAuthor) { if (!postSave.Id.HasValue && !HttpContext.UserHasClaimPermission(PermissionClaims.CreateNewPosts)) { return(false); } if (postSave.Id.HasValue && !HttpContext.UserHasClaimPermission(PermissionClaims.EditOtherUsersPosts) && !(editedPost.Author.UserName == User.Identity.Name && HttpContext.UserHasClaimPermission(PermissionClaims.EditOwnPosts))) { return(false); } if (!HttpContext.UserHasClaimPermission(PermissionClaims.EditOtherUsersPosts) && newAuthor.UserName != User.Identity.Name) { return(false); } if (postSave.IsPublished && (!postSave.Id.HasValue || !editedPost.IsPublished)) { string authorUserName = newAuthor.UserName; if (!(authorUserName != User.Identity.Name && HttpContext.UserHasClaimPermission(PermissionClaims.PublishOtherUsersPosts)) && !(authorUserName == User.Identity.Name && HttpContext.UserHasClaimPermission(PermissionClaims.PublishOwnPosts))) { return(false); } } return(true); }
public virtual ActionResult Edit([Bind(Prefix = "Post")] AdminPostSave postSave) { Post editedPost = postSave.Id.HasValue ? db.Posts.Include(x => x.Author).Include(x => x.PostTags).ThenInclude(x => x.Tag).Include(x => x.PostCategories).ThenInclude(x => x.Category).Single(x => x.Id == postSave.Id) : db.Posts.Add(new Post { CreationDate = DateTime.UtcNow, Slug = postSave.Slug, }).Entity; var newAuthor = userRepository.GetById(postSave.AuthorId); //postSave.AuthorId.HasValue ? userRepository.GetById(postSave.AuthorId.Value) : userRepository.GetByUsername(User.Identity.Name); if (CheckPostsSaveRoles(postSave, editedPost, newAuthor) == false) { return(Forbid()); } editedPost.Author = newAuthor; editedPost.LastModificationDate = DateTime.UtcNow; postSave.FillPost(editedPost, dateTimeUtil); if (db.Posts.Any(x => x.Slug == editedPost.Slug && x.Id != editedPost.Id)) { ModelState.AddModelError("Post.Slug", "This slug already exists"); } IEnumerable <string> tags = from tag in (postSave.Tags ?? string.Empty).Split(new[] { ',' }) where !string.IsNullOrWhiteSpace(tag) select tag.Trim(); var existingTags = editedPost.PostTags.Select(x => x.Tag.Name).ToList(); foreach (var removedTag in editedPost.PostTags.Where(x => tags.Contains(x.Tag.Name, StringComparer.OrdinalIgnoreCase) == false).ToList()) { editedPost.PostTags.Remove(removedTag); } foreach (var item in postRepository.GetOrCreateTags(tags.Where(x => existingTags.Contains(x, StringComparer.OrdinalIgnoreCase) == false))) { editedPost.PostTags.Add(new PostTag() { Tag = item }); } postSave.SelectedCategories = postSave.SelectedCategories ?? Enumerable.Empty <int>(); var categoriesToAdd = postSave.SelectedCategories.Except(editedPost.PostCategories.Select(x => x.CategoryId)); foreach (var removedCategory in editedPost.PostCategories.Where(x => postSave.SelectedCategories.Contains(x.CategoryId) == false).ToList()) { editedPost.PostCategories.Remove(removedCategory); } foreach (Category category in db.Categories.Where(x => categoriesToAdd.Contains(x.Id))) { editedPost.PostCategories.Add(new PostCategory() { Category = category }); } if (ModelState.IsValid) { db.SaveChanges(); CreatePostRevision(editedPost); return(RedirectToAction("Details", "Post", new { postSlug = editedPost.Slug })); } return(View(CreateAdminPostEdit(editedPost))); }