Updates logic to ensure that if we are rendering site nodes that we don't render all of their children, we will filter out any nodes that do not belong to the user's start nodes' branches

2017-09-06 00:38:31 +10:00
parent 186fd1166a
commit c860069215
2 changed files with 103 additions and 14 deletions
--- a/src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
+++ b/src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
@@ -66,10 +66,14 @@ namespace Umbraco.Web.Trees
        /// <param name="queryStrings"></param>
        /// <returns></returns>
        internal TreeNode GetSingleTreeNodeWithAccessCheck(IUmbracoEntity e, string parentId, FormDataCollection queryStrings)
-        {
-            var treeNode = GetSingleTreeNode(e, parentId, queryStrings);
-            var hasAccess = Security.CurrentUser.HasPathAccess(e, Services.EntityService, RecycleBinId);
-            if (hasAccess == false)
+        {
+            bool hasPathAccess;
+            var entityIsAncestorOfStartNodes = Security.CurrentUser.IsInBranchOfStartNode(e, Services.EntityService, RecycleBinId, out hasPathAccess);
+            if (entityIsAncestorOfStartNodes == false)
+                return null;
+
+            var treeNode = GetSingleTreeNode(e, parentId, queryStrings);            
+            if (hasPathAccess == false)
            {
                treeNode.AdditionalData["noAccess"] = true;
            }