From a072d4edb3b525cc0f71bbcfb7db8c335c1c3075 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Fri, 30 Jun 2017 14:42:08 +1000
Subject: [PATCH] adds security to changing premissions in the content dialog

---
 src/Umbraco.Web/Editors/ContentController.cs                | 6 +++++-
 .../Filters/EnsureUserPermissionForContentAttribute.cs      | 6 ++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/Umbraco.Web/Editors/ContentController.cs b/src/Umbraco.Web/Editors/ContentController.cs
index 001bbd21b9..4bcf47a441 100644
--- a/src/Umbraco.Web/Editors/ContentController.cs
+++ b/src/Umbraco.Web/Editors/ContentController.cs
@@ -81,13 +81,17 @@ namespace Umbraco.Web.Editors
         {
             var foundContent = Services.ContentService.GetByIds(ids);
             return foundContent.Select(Mapper.Map<IContent, ContentItemDisplay>);
-        }
+        }
 
         /// <summary>
         /// Updates the permissions for a content item for a particular user group
         /// </summary>
         /// <param name="saveModel"></param>
         /// <returns></returns>
+        /// <remarks>
+        /// Permission check is done for letter 'R' which is for <see cref="ActionRights"/> which the user must have access to to update
+        /// </remarks>
+        [EnsureUserPermissionForContent("saveModel.ContentId", 'R')]
         public IEnumerable<AssignedUserGroupPermissions> PostSaveUserGroupPermissions(UserGroupPermissionsSave saveModel)
         {
             if (saveModel.ContentId <= 0) throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.NotFound));
diff --git a/src/Umbraco.Web/WebApi/Filters/EnsureUserPermissionForContentAttribute.cs b/src/Umbraco.Web/WebApi/Filters/EnsureUserPermissionForContentAttribute.cs
index 2e3eea490e..9cebc4b95a 100644
--- a/src/Umbraco.Web/WebApi/Filters/EnsureUserPermissionForContentAttribute.cs
+++ b/src/Umbraco.Web/WebApi/Filters/EnsureUserPermissionForContentAttribute.cs
@@ -42,10 +42,12 @@ namespace Umbraco.Web.WebApi.Filters
 
         public EnsureUserPermissionForContentAttribute(string paramName)
         {
-            Mandate.ParameterNotNullOrEmpty(paramName, "paramName");
+            if (string.IsNullOrWhiteSpace(paramName)) throw new ArgumentException("Value cannot be null or whitespace.", "paramName");
+
             _paramName = paramName;
             _permissionToCheck = ActionBrowse.Instance.Letter;
-        }
+        }
+
         public EnsureUserPermissionForContentAttribute(string paramName, char permissionToCheck)
             : this(paramName)
         {