Permission check for unpublished products, close #14

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Application.Contracts/EasyAbp/EShop/Products/Products/IProductAppService.cs

@@ -20,6 +20,8 @@ namespace EasyAbp.EShop.Products.Products
 
         Task<ProductDto> UpdateSkuAsync(Guid productId, Guid productSkuId, Guid storeId, UpdateProductSkuDto input);
 
+        Task<ProductDto> GetAsync(Guid id, Guid storeId);
+
         Task<ProductDto> DeleteSkuAsync(Guid productId, Guid productSkuId, Guid storeId);
     }
 }
\ No newline at end of file

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Application/EasyAbp/EShop/Products/Categories/CategoryAppService.cs

@@ -32,14 +32,17 @@ namespace EasyAbp.EShop.Products.Categories
             return input.ShowHidden ? query : query.Where(x => !x.IsHidden);
         }
 
-        public override Task<PagedResultDto<CategoryDto>> GetListAsync(GetCategoryListDto input)
+        public override async Task<PagedResultDto<CategoryDto>> GetListAsync(GetCategoryListDto input)
         {
-            if (input.ShowHidden)
+            // Todo: Check if current user is an admin of the store.
+            var isCurrentUserStoreAdmin = true;
+
+            if (input.ShowHidden && (!isCurrentUserStoreAdmin || !await AuthorizationService.IsGrantedAsync(ProductsPermissions.Categories.Default)))
             {
-                AuthorizationService.CheckAsync(ProductsPermissions.Products.Default);
+                throw new NotAllowedToGetCategoryListWithShowHiddenException();
             }
             
-            return base.GetListAsync(input);
+            return await base.GetListAsync(input);
         }
     }
 }
\ No newline at end of file

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Application/EasyAbp/EShop/Products/Categories/NotAllowedToGetCategoryListWithShowHiddenException.cs

+using Volo.Abp;
+
+namespace EasyAbp.EShop.Products.Categories
+{
+    public class NotAllowedToGetCategoryListWithShowHiddenException : BusinessException
+    {
+        public NotAllowedToGetCategoryListWithShowHiddenException() : base(
+            message: $"You have no permission to get category list with hidden categories.")
+        {
+        }
+    }
+}
\ No newline at end of file

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Application/EasyAbp/EShop/Products/Products/NotAllowedToGetProductListWithShowHiddenException.cs

+using System;
+using Volo.Abp;
+
+namespace EasyAbp.EShop.Products.Products
+{
+    public class NotAllowedToGetProductListWithShowHiddenException : BusinessException
+    {
+        public NotAllowedToGetProductListWithShowHiddenException() : base(
+            message: $"You have no permission to get product list with hidden products.")
+        {
+        }
+    }
+}
\ No newline at end of file

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Application/EasyAbp/EShop/Products/Products/ProductAppService.cs

@@ -163,29 +163,62 @@ namespace EasyAbp.EShop.Products.Products
         }
 
         [RemoteService(false)]
-        public override async Task DeleteAsync(Guid id)
+        public override Task DeleteAsync(Guid id)
         {
             throw new NotImplementedException();
         }
 
-        public override async Task<ProductDto> GetAsync(Guid id)
+        [RemoteService(false)]
+        public override Task<ProductDto> GetAsync(Guid id)
+        {
+            throw new NotImplementedException();
+        }
+        
+        public virtual async Task<ProductDto> GetAsync(Guid id, Guid storeId)
         {
             var dto = await base.GetAsync(id);
 
+            if (!dto.IsPublished)
+            {
+                await CheckStoreIsProductOwnerAsync(id, storeId);
+            }
+
             dto.CategoryIds = (await _productCategoryRepository.GetListByProductIdAsync(dto.Id))
                 .Select(x => x.CategoryId).ToList();
             
             return dto;
         }
 
-        public override Task<PagedResultDto<ProductDto>> GetListAsync(GetProductListDto input)
+        public override async Task<PagedResultDto<ProductDto>> GetListAsync(GetProductListDto input)
         {
-            if (input.ShowHidden)
+            await CheckGetListPolicyAsync();
+
+            // Todo: Check if current user is an admin of the store.
+            var isCurrentUserStoreAdmin = true;
+            
+            if (input.ShowHidden && (!isCurrentUserStoreAdmin || !await AuthorizationService.IsGrantedAsync(ProductsPermissions.Products.Default)))
             {
-                AuthorizationService.CheckAsync(ProductsPermissions.Products.Default);
+                throw new NotAllowedToGetProductListWithShowHiddenException();
             }
+
+            var query = CreateFilteredQuery(input);
             
-            return base.GetListAsync(input);
+            if (!isCurrentUserStoreAdmin)
+            {
+                query = query.Where(x => x.IsPublished);
+            }
+
+            var totalCount = await AsyncQueryableExecuter.CountAsync(query);
+
+            query = ApplySorting(query, input);
+            query = ApplyPaging(query, input);
+
+            var entities = await AsyncQueryableExecuter.ToListAsync(query);
+
+            return new PagedResultDto<ProductDto>(
+                totalCount,
+                entities.Select(MapToGetListOutputDto).ToList()
+            );
         }
 
         public async Task DeleteAsync(Guid id, Guid storeId)

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Web/Pages/EShop/Products/Products/Product/EditModal.cshtml.cs

@@ -58,7 +58,7 @@ namespace EasyAbp.EShop.Products.Web.Pages.EShop.Products.Products.Product
                     {MaxResultCount = LimitedResultRequestDto.MaxMaxResultCount}))?.Items
                 .Select(dto => new SelectListItem(dto.DisplayName, dto.Id.ToString())).ToList();
 
-            var productDto = await _service.GetAsync(Id);
+            var productDto = await _service.GetAsync(Id, storeId);
 
             var detailDto = await _productDetailAppService.GetAsync(productDto.ProductDetailId);
             
@@ -75,7 +75,7 @@ namespace EasyAbp.EShop.Products.Web.Pages.EShop.Products.Products.Product
 
         public virtual async Task<IActionResult> OnPostAsync()
         {
-            var product = await _service.GetAsync(Id);
+            var product = await _service.GetAsync(Id, Product.StoreId);
 
             var detail = await _productDetailAppService.GetAsync(product.ProductDetailId);
 

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Web/Pages/EShop/Products/Products/ProductSku/CreateModal.cshtml.cs

@@ -44,7 +44,7 @@ namespace EasyAbp.EShop.Products.Web.Pages.EShop.Products.Products.ProductSku
 
         public virtual async Task OnGetAsync()
         {
-            var product = await _productAppService.GetAsync(ProductId);
+            var product = await _productAppService.GetAsync(ProductId, StoreId);
 
             Attributes = new Dictionary<string, ICollection<SelectListItem>>();
             

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Web/Pages/EShop/Products/Products/ProductSku/EditModal.cshtml.cs

@@ -36,7 +36,7 @@ namespace EasyAbp.EShop.Products.Web.Pages.EShop.Products.Products.ProductSku
 
         public virtual async Task OnGetAsync()
         {
-            var product = await _productAppService.GetAsync(ProductId);
+            var product = await _productAppService.GetAsync(ProductId, StoreId);
 
             ProductSku =
                 ObjectMapper.Map<ProductSkuDto, CreateEditProductSkuViewModel>(

modules/EasyAbp.EShop.Products/src/EasyAbp.EShop.Products.Web/Pages/EShop/Products/Products/ProductSku/Index.cshtml.cs

@@ -25,7 +25,7 @@ namespace EasyAbp.EShop.Products.Web.Pages.EShop.Products.Products.ProductSku
         
         public virtual async Task OnGetAsync()
         {
-            ProductDisplayName = (await _productAppService.GetAsync(ProductId)).DisplayName;
+            ProductDisplayName = (await _productAppService.GetAsync(ProductId, StoreId)).DisplayName;
         }
     }
 }