What is the intended functionality for ContentPermissionsPart?

Topics: Administration, General
Aug 15, 2014 at 9:59 PM
Edited Aug 15, 2014 at 10:13 PM
I'm playing around with the ContentPermissionsPart for the first time and was surprised by the way it worked. It seems that permissions set through the part on a content item completely override role based permissions set elsewhere. So if I am in a role that has permission to "View all content" but the checkbox on the ContentPermissionPart for "View this item" is unchecked, I am denied access to that particular content item.

For some reason I was expecting that if either role permissions or content item permissions granted me access, that would be enough. But instead, only the content item permissions are taken into consideration. I think it all boils down to this line of code in Orchard.ContentPermissions.Security.AuthorizationEventHandler:
context.Granted = rolesToExamine.Any(x => authorizedRoles.Contains(x, StringComparer.OrdinalIgnoreCase));
It's setting the Granted flag based on whether the user belongs to any roles authorized by the ContentPermissionsPart and overriding any previous determination made by the RolesBasedAuthorizationService.

I think I expected it to work differently because I've always thought that Orchard didn't have deny type permissions (it was only allow). However, this effectively does provide deny permissions at the content item level.

As a strange twist, the way it is currently working actually meets my needs very well. The way I expected it to behave would not have worked for what I'm trying to do.

So my question is, is this the way it's designed to work? Or is this a bug? I found Bertrand mentioning that this behavior may be a bug in this discussion thread.

I don't want to depend on it working a certain way and then a bug fix comes along and breaks what I've done. Thoughts?