grandnode · KrzysztofPajak · Sep 30, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
diff --git a/src/Business/Grand.Business.Cms/Services/BlogService.cs b/src/Business/Grand.Business.Cms/Services/BlogService.cs
@@ -102,7 +102,10 @@ public virtual async Task<IPagedList<BlogPost>> GetAllBlogPosts(string storeId =
         }
 
         if (!string.IsNullOrEmpty(storeId) && !_accessControlConfig.IgnoreStoreLimitations)
-            query = query.Where(b => b.Stores.Contains(storeId) || !b.LimitedToStores);
+            query = from p in query
+                    where !p.LimitedToStores || p.Stores.Contains(storeId)
+                    select p;
+
         if (!string.IsNullOrEmpty(tag)) query = query.Where(x => x.Tags.Contains(tag));
 
         query = query.OrderByDescending(b => b.CreatedOnUtc);

diff --git a/src/Modules/Grand.Module.Installer/Extensions/PermissionExtensions.cs b/src/Modules/Grand.Module.Installer/Extensions/PermissionExtensions.cs
@@ -213,7 +213,8 @@ public static IEnumerable<DefaultPermission> DefaultPermissions()
                     StandardPermission.ManageMerchandiseReturns,
                     StandardPermission.ManageCheckoutAttribute,
                     StandardPermission.ManageReports,
-                    StandardPermission.ManageNews
+                    StandardPermission.ManageNews,
+                    StandardPermission.ManageBlog
                 ]
             },
 

diff --git a/src/Web/Grand.Web.Admin/Controllers/BlogController.cs b/src/Web/Grand.Web.Admin/Controllers/BlogController.cs
@@ -5,9 +5,6 @@
 using Grand.Business.Core.Interfaces.Common.Stores;
 using Grand.Domain.Permissions;
 using Grand.Domain.Seo;
-using Grand.Infrastructure;
-using Grand.Web.Admin.Extensions;
-using Grand.Web.AdminShared.Extensions;
 using Grand.Web.AdminShared.Extensions.Mapping;
 using Grand.Web.AdminShared.Interfaces;
 using Grand.Web.AdminShared.Models.Blogs;
@@ -31,8 +28,6 @@ public BlogController(
         ILanguageService languageService,
         ITranslationService translationService,
         IStoreService storeService,
-        IContextAccessor contextAccessor,
-        IGroupService groupService,
         IDateTimeService dateTimeService,
         IPictureViewModelService pictureViewModelService,
         SeoSettings seoSettings)
@@ -42,8 +37,6 @@ public BlogController(
         _languageService = languageService;
         _translationService = translationService;
         _storeService = storeService;
-        _contextAccessor = contextAccessor;
-        _groupService = groupService;
         _dateTimeService = dateTimeService;
         _pictureViewModelService = pictureViewModelService;
         _seoSettings = seoSettings;
@@ -58,8 +51,6 @@ public BlogController(
     private readonly ILanguageService _languageService;
     private readonly ITranslationService _translationService;
     private readonly IStoreService _storeService;
-    private readonly IContextAccessor _contextAccessor;
-    private readonly IGroupService _groupService;
     private readonly IDateTimeService _dateTimeService;
     private readonly IPictureViewModelService _pictureViewModelService;
     private readonly SeoSettings _seoSettings;
@@ -96,7 +87,8 @@ public async Task<IActionResult> Create()
         ViewBag.AllLanguages = await _languageService.GetAllLanguages(true);
         var model = new BlogPostModel {
             //default values
-            AllowComments = true
+            AllowComments = true,
+            CreateDate = DateTime.UtcNow
         };
         //locales
         await AddLocales(_languageService, model.Locales);
@@ -111,8 +103,6 @@ public async Task<IActionResult> Create(BlogPostModel model, bool continueEditin
     {
         if (ModelState.IsValid)
         {
-            if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-                model.Stores = [_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId];
             var blogPost = await _blogViewModelService.InsertBlogPostModel(model);
             Success(_translationService.GetResource("Admin.Content.Blog.BlogPosts.Added"));
             return continueEditing ? RedirectToAction("Edit", new { id = blogPost.Id }) : RedirectToAction("List");
@@ -132,21 +122,6 @@ public async Task<IActionResult> Edit(string id)
             //No blog post found with the specified id
             return RedirectToAction("List");
 
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-        {
-            if (!blogPost.LimitedToStores || (blogPost.LimitedToStores &&
-                                              blogPost.Stores.Contains(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId) &&
-                                              blogPost.Stores.Count > 1))
-            {
-                Warning(_translationService.GetResource("Admin.Content.Blog.BlogPosts.Permissions"));
-            }
-            else
-            {
-                if (!blogPost.AccessToEntityByStore(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId))
-                    return RedirectToAction("List");
-            }
-        }
-
         ViewBag.AllLanguages = await _languageService.GetAllLanguages(true);
         var model = blogPost.ToModel(_dateTimeService);
         //locales
@@ -173,15 +148,8 @@ public async Task<IActionResult> Edit(BlogPostModel model, bool continueEditing)
             //No blog post found with the specified id
             return RedirectToAction("List");
 
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-            if (!blogPost.AccessToEntityByStore(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId))
-                return RedirectToAction("Edit", new { id = blogPost.Id });
-
         if (ModelState.IsValid)
         {
-            if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-                model.Stores = [_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId];
-
             blogPost = await _blogViewModelService.UpdateBlogPostModel(model, blogPost);
 
             Success(_translationService.GetResource("Admin.Content.Blog.BlogPosts.Updated"));
@@ -222,10 +190,6 @@ public async Task<IActionResult> Delete(string id)
             //No blog post found with the specified id
             return RedirectToAction("List");
 
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-            if (!blogPost.AccessToEntityByStore(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId))
-                return RedirectToAction("Edit", new { id = blogPost.Id });
-
         if (ModelState.IsValid)
         {
             await _blogService.DeleteBlogPost(blogPost);
@@ -295,7 +259,7 @@ public IActionResult CategoryList()
     [HttpPost]
     public async Task<IActionResult> CategoryList(DataSourceRequest command)
     {
-        var categories = await _blogService.GetAllBlogCategories(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId);
+        var categories = await _blogService.GetAllBlogCategories("");
         var gridModel = new DataSourceResult {
             Data = categories,
             Total = categories.Count
@@ -321,9 +285,6 @@ public async Task<IActionResult> CategoryCreate(BlogCategoryModel model, bool co
     {
         if (ModelState.IsValid)
         {
-            if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-                model.Stores = [_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId];
-
             var blogCategory = model.ToEntity();
             blogCategory.SeName = SeoExtensions.GetSeName(
                 string.IsNullOrEmpty(blogCategory.SeName) ? blogCategory.Name : blogCategory.SeName,
@@ -352,22 +313,6 @@ public async Task<IActionResult> CategoryEdit(string id)
             //No blog post found with the specified id
             return RedirectToAction("CategoryList");
 
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-        {
-            if (!blogCategory.LimitedToStores || (blogCategory.LimitedToStores &&
-                                                  blogCategory.Stores.Contains(
-                                                      _contextAccessor.WorkContext.CurrentCustomer.StaffStoreId) &&
-                                                  blogCategory.Stores.Count > 1))
-            {
-                Warning(_translationService.GetResource("Admin.Content.Blog.BlogCategory.Permissions"));
-            }
-            else
-            {
-                if (!blogCategory.AccessToEntityByStore(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId))
-                    return RedirectToAction("List");
-            }
-        }
-
         ViewBag.AllLanguages = await _languageService.GetAllLanguages(true);
         var model = blogCategory.ToModel();
         //locales
@@ -388,15 +333,8 @@ public async Task<IActionResult> CategoryEdit(BlogCategoryModel model, bool cont
             //No blog post found with the specified id
             return RedirectToAction("CategoryList");
 
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-            if (!blogCategory.AccessToEntityByStore(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId))
-                return RedirectToAction("CategoryEdit", new { id = blogCategory.Id });
-
         if (ModelState.IsValid)
         {
-            if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-                model.Stores = [_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId];
-
             blogCategory = model.ToEntity(blogCategory);
             blogCategory.SeName = SeoExtensions.GetSeName(
                 string.IsNullOrEmpty(blogCategory.SeName) ? blogCategory.Name : blogCategory.SeName,
@@ -436,10 +374,6 @@ public async Task<IActionResult> CategoryDelete(string id)
             //No blog post found with the specified id
             return RedirectToAction("CategoryList");
 
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-            if (!blogcategory.AccessToEntityByStore(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId))
-                return RedirectToAction("CategoryEdit", new { id = blogcategory.Id });
-
         if (ModelState.IsValid)
         {
             await _blogService.DeleteBlogCategory(blogcategory);
@@ -488,10 +422,6 @@ public async Task<IActionResult> CategoryPostDelete(string categoryId, string id
         if (blogCategory == null)
             return ErrorForKendoGridJson("blogCategory no exists");
 
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-            if (!blogCategory.AccessToEntityByStore(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId))
-                return ErrorForKendoGridJson("blogCategory no permission");
-
         if (ModelState.IsValid)
         {
             var post = blogCategory.BlogPosts.FirstOrDefault(x => x.Id == id);
@@ -512,12 +442,8 @@ public async Task<IActionResult> BlogPostAddPopup(string categoryId)
     {
         var model = new AddBlogPostCategoryModel();
         //stores
-        var storeId = _contextAccessor.WorkContext.CurrentCustomer.StaffStoreId;
-
-        model.AvailableStores.Add(new SelectListItem
-            { Text = _translationService.GetResource("Admin.Common.All"), Value = " " });
-        foreach (var s in (await _storeService.GetAllStores()).Where(x =>
-                     x.Id == storeId || string.IsNullOrWhiteSpace(storeId)))
+        model.AvailableStores.Add(new SelectListItem { Text = _translationService.GetResource("Admin.Common.All"), Value = " " });
+        foreach (var s in await _storeService.GetAllStores())
             model.AvailableStores.Add(new SelectListItem { Text = s.Shortcut, Value = s.Id });
         model.CategoryId = categoryId;
         return View(model);
@@ -529,9 +455,6 @@ public async Task<IActionResult> BlogPostAddPopupList(DataSourceRequest command,
     {
         var gridModel = new DataSourceResult();
 
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-            model.SearchStoreId = _contextAccessor.WorkContext.CurrentCustomer.StaffStoreId;
-
         var posts = await _blogService.GetAllBlogPosts(model.SearchStoreId, blogPostName: model.SearchBlogTitle,
             pageIndex: command.Page - 1, pageSize: command.PageSize);
         gridModel.Data = posts.Select(x => new { x.Id, Name = x.Title });
@@ -550,7 +473,7 @@ public async Task<IActionResult> BlogPostAddPopup(AddBlogPostCategoryModel model
             if (blogCategory != null)
                 foreach (var id in model.SelectedBlogPostIds)
                 {
-                    var post = _blogService.GetBlogPostById(id);
+                    var post = await _blogService.GetBlogPostById(id);
                     if (post != null)
                         if (!blogCategory.BlogPosts.Any(x => x.BlogPostId == id))
                         {
@@ -594,9 +517,6 @@ public async Task<IActionResult> CommentDelete(string id)
             throw new ArgumentException("No comment found with the specified id");
 
         var blogPost = await _blogService.GetBlogPostById(comment.BlogPostId);
-        if (await _groupService.IsStoreManager(_contextAccessor.WorkContext.CurrentCustomer))
-            if (!blogPost.AccessToEntityByStore(_contextAccessor.WorkContext.CurrentCustomer.StaffStoreId))
-                return ErrorForKendoGridJson("blogPost no permission");
 
         if (ModelState.IsValid)
         {