/// <summary>
/// Checks if the user has access to post a content item based on whether it's being created or saved.
/// </summary>
/// <param name="mediaItem"></param>
/// <param name="actionContext"></param>
private async Task <bool> ValidateUserAccessAsync(MediaItemSave?mediaItem, ActionExecutingContext actionContext)
{
//We now need to validate that the user is allowed to be doing what they are doing.
//Then if it is new, we need to lookup those permissions on the parent.
IMedia?contentToCheck;
int contentIdToCheck;
switch (mediaItem?.Action)
{
case ContentSaveAction.Save:
contentToCheck = mediaItem.PersistedContent;
contentIdToCheck = contentToCheck?.Id ?? default;
break;
case ContentSaveAction.SaveNew:
contentToCheck = _mediaService.GetById(mediaItem.ParentId);
if (mediaItem.ParentId != Constants.System.Root)
{
contentToCheck = _mediaService.GetById(mediaItem.ParentId);
contentIdToCheck = contentToCheck?.Id ?? default;
}
else
{
contentIdToCheck = mediaItem.ParentId;
}
break;
default:
//we don't support this for media
actionContext.Result = new NotFoundResult();
return(false);
}
MediaPermissionsResource resource = contentToCheck == null
? new MediaPermissionsResource(contentIdToCheck)
: new MediaPermissionsResource(contentToCheck);
AuthorizationResult authorizationResult = await _authorizationService.AuthorizeAsync(
actionContext.HttpContext.User,
resource,
AuthorizationPolicies.MediaPermissionByResource);
if (!authorizationResult.Succeeded)
{
actionContext.Result = new ForbidResult();
return(false);
}
return(true);
}
private static AuthorizationHandlerContext CreateAuthorizationHandlerContext(int nodeId, bool createWithNodeId = false)
{
var requirement = new MediaPermissionsResourceRequirement();
var user = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim>()));
IMedia media = CreateMedia(nodeId);
MediaPermissionsResource resource = createWithNodeId
? new MediaPermissionsResource(nodeId)
: new MediaPermissionsResource(media);
return(new AuthorizationHandlerContext(new List <IAuthorizationRequirement> {
requirement
}, user, resource));
}
/// <summary>
/// Change the sort order for media
/// </summary>
/// <param name="sorted"></param>
/// <returns></returns>
public async Task <IActionResult> PostSort(ContentSortOrder sorted)
{
if (sorted == null)
{
return(NotFound());
}
//if there's nothing to sort just return ok
if (sorted.IdSortOrder?.Length == 0)
{
return(Ok());
}
// Authorize...
var requirement = new MediaPermissionsResourceRequirement();
var resource = new MediaPermissionsResource(sorted.ParentId);
AuthorizationResult authorizationResult =
await _authorizationService.AuthorizeAsync(User, resource, requirement);
if (!authorizationResult.Succeeded)
{
return(Forbid());
}
var sortedMedia = new List <IMedia>();
try
{
sortedMedia.AddRange(sorted.IdSortOrder?.Select(_mediaService.GetById).WhereNotNull() ??
Enumerable.Empty <IMedia>());
// Save Media with new sort order and update content xml in db accordingly
if (_mediaService.Sort(sortedMedia) == false)
{
_logger.LogWarning("Media sorting failed, this was probably caused by an event being cancelled");
return(ValidationProblem("Media sorting failed, this was probably caused by an event being cancelled"));
}
return(Ok());
}
catch (Exception ex)
{
_logger.LogError(ex, "Could not update media sort order");
throw;
}
}
