From 6543b4e6f0d82a780df6b695a2507f89c6dcf35a Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Fri, 30 Aug 2013 15:43:02 +0200
Subject: [PATCH 1/5] FIX Privilege escalation through Group and Member CSV
 upload (SS-2013-004)

See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/
---
 code/SecurityAdmin.php | 47 ++++++++++++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 15 deletions(-)

diff --git a/code/SecurityAdmin.php b/code/SecurityAdmin.php
index 03847567..e871a7d3 100644
--- a/code/SecurityAdmin.php
+++ b/code/SecurityAdmin.php
@@ -70,16 +70,20 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 			$fields = $record->getCMSFields();
 
 			if($fields->hasTabSet()) {
-				$fields->findOrMakeTab('Root.Import',_t('Group.IMPORTTABTITLE', 'Import'));
-				$fields->addFieldToTab('Root.Import', 
-					new LiteralField(
-						'MemberImportFormIframe', 
-						sprintf(
-							'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="400px" border="0"></iframe>',
-							$this->Link('memberimport')
+				// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
+				if(Permission::check('ADMIN')) {
+					$fields->findOrMakeTab('Root.Import',_t('Group.IMPORTTABTITLE', 'Import'));
+					$fields->addFieldToTab('Root.Import', 
+						new LiteralField(
+							'MemberImportFormIframe', 
+							sprintf(
+								'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="400px" border="0"></iframe>',
+								$this->Link('memberimport')
+							)
 						)
-					)
-				);
+					);	
+				}
+
 				if(Permission::check('APPLY_ROLES')) { 
 					$fields->addFieldToTab(
 						'Root.Roles',
@@ -147,8 +151,19 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 							)
 						)
 					)
-				),
-				new Tab('Import', _t('SecurityAdmin.TABIMPORT', 'Import'),
+				)
+			),
+			// necessary for tree node selection in LeftAndMain.EditForm.js
+			new HiddenField('ID', false, 0)
+		);
+
+		// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
+		if(Permission::check('ADMIN')) {
+			$fields->addFieldsToTab(
+				'Root', 
+				new Tab(
+					'Import', 
+					_t('SecurityAdmin.TABIMPORT', 'Import'),
 					new LiteralField(
 						'GroupImportFormIframe', 
 						sprintf(
@@ -157,10 +172,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 						)
 					)
 				)
-			),
-			// necessary for tree node selection in LeftAndMain.EditForm.js
-			new HiddenField('ID', false, 0)
-		);
+			);
+		}
 
 		// Add roles editing interface
 		if(Permission::check('APPLY_ROLES')) {
@@ -217,6 +230,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 	 * @return Form
 	 */
 	public function MemberImportForm() {
+		if(!Permission::check('ADMIN')) return false;
+
 		$group = $this->currentPage();
 		$form = new MemberImportForm(
 			$this,
@@ -249,6 +264,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 	 * @return Form
 	 */
 	public function GroupImportForm() {
+		if(!Permission::check('ADMIN')) return false;
+
 		$form = new GroupImportForm(
 			$this,
 			'GroupImportForm'

From 36afefc1f7eb2e990c5d2ff6fbe6cb9632f5e895 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Thu, 12 Sep 2013 16:29:36 +0200
Subject: [PATCH 2/5] Tagged 2.4.12


From 84c59b79042fa8e1b9bba645f7ce230e06997006 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Thu, 26 Sep 2013 01:12:04 +0200
Subject: [PATCH 3/5] Tagged 2.4.13


From 48a8213a18790b5d3491c02e0336d1076bf53390 Mon Sep 17 00:00:00 2001
From: jean <jfbarrois@gmail.com>
Date: Wed, 26 Feb 2014 11:17:56 +1300
Subject: [PATCH 4/5] BUGFIX Load jquery before leftandmain.js in upload iframe
 for assets

---
 code/AssetAdmin.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/code/AssetAdmin.php b/code/AssetAdmin.php
index 64e4e88c..d0428665 100755
--- a/code/AssetAdmin.php
+++ b/code/AssetAdmin.php
@@ -108,11 +108,11 @@ JS
 		Requirements::javascript(SAPPHIRE_DIR . "/thirdparty/behaviour/behaviour.js");
 		Requirements::javascript(SAPPHIRE_DIR . "/javascript/prototype_improvements.js");
 		Requirements::javascript(SAPPHIRE_DIR . "/javascript/layout_helpers.js");
-		Requirements::javascript(CMS_DIR . "/javascript/LeftAndMain.js");
-		Requirements::javascript(CMS_DIR . "/thirdparty/multifile/multifile.js");
-		Requirements::css(CMS_DIR . "/thirdparty/multifile/multifile.css");
 		Requirements::javascript(SAPPHIRE_DIR . "/thirdparty/jquery/jquery.js");
 		Requirements::javascript(SAPPHIRE_DIR . "/javascript/jquery_improvements.js");
+		Requirements::javascript(CMS_DIR . "/javascript/LeftAndMain.js");
+		Requirements::javascript(CMS_DIR . "/thirdparty/multifile/multifile.js");
+		Requirements::css(CMS_DIR . "/thirdparty/multifile/multifile.css");	
 		Requirements::css(CMS_DIR . "/css/typography.css");
 		Requirements::css(CMS_DIR . "/css/layout.css");
 		Requirements::css(CMS_DIR . "/css/cms_left.css");

From 56ea23a3b68017e0e42189da045bd6820f0005c9 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Mon, 5 May 2014 09:15:18 +1200
Subject: [PATCH 5/5] Update travis configuration to use composer phpunit

---
 .travis.yml   | 2 +-
 composer.json | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 4207d749..98f52e50 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -12,7 +12,7 @@ before_script:
  - cd ~/builds/ss
 
 script: 
- - phpunit cms/tests
+ - vendor/bin/phpunit cms/tests
 
 branches:
   except:
diff --git a/composer.json b/composer.json
index e159f33c..4dece0a7 100644
--- a/composer.json
+++ b/composer.json
@@ -19,5 +19,8 @@
 		"php": ">=5.2.4",
 		"composer/installers": "*",
 		"silverstripe/framework": "2.4.*"
+	},
+	"require-dev": {
+		"phpunit/PHPUnit": "~3.7"
 	}
 }