adds security to changing premissions in the content dialog

src/Umbraco.Web/Editors/ContentController.cs

@@ -81,13 +81,17 @@ namespace Umbraco.Web.Editors
         {
             var foundContent = Services.ContentService.GetByIds(ids);
             return foundContent.Select(Mapper.Map<IContent, ContentItemDisplay>);
-        }
+        }
 
         /// <summary>
         /// Updates the permissions for a content item for a particular user group
         /// </summary>
         /// <param name="saveModel"></param>
         /// <returns></returns>
+        /// <remarks>
+        /// Permission check is done for letter 'R' which is for <see cref="ActionRights"/> which the user must have access to to update
+        /// </remarks>
+        [EnsureUserPermissionForContent("saveModel.ContentId", 'R')]
         public IEnumerable<AssignedUserGroupPermissions> PostSaveUserGroupPermissions(UserGroupPermissionsSave saveModel)
         {
             if (saveModel.ContentId <= 0) throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.NotFound));

src/Umbraco.Web/WebApi/Filters/EnsureUserPermissionForContentAttribute.cs

@@ -42,10 +42,12 @@ namespace Umbraco.Web.WebApi.Filters
 
         public EnsureUserPermissionForContentAttribute(string paramName)
         {
-            Mandate.ParameterNotNullOrEmpty(paramName, "paramName");
+            if (string.IsNullOrWhiteSpace(paramName)) throw new ArgumentException("Value cannot be null or whitespace.", "paramName");
+
             _paramName = paramName;
             _permissionToCheck = ActionBrowse.Instance.Letter;
-        }
+        }
+
         public EnsureUserPermissionForContentAttribute(string paramName, char permissionToCheck)
             : this(paramName)
         {