tonyair/silverstripe-cms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-cms synced 2024-06-29 07:59:37 +02:00
Code Issues Projects Releases Wiki Activity

UGFIX Using auto-escaped get_by_id() in CommentAdmin and SecurityAdmin (Merged from r73247)

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/branches/2.3@73283 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sean Harvey 2009-03-18 02:53:28 +00:00 committed by Sam Minnee
parent cd6a6ad92d
commit 5ed106ea84
2 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
code/CommentAdmin.php
View File

@ -127,7 +127,7 @@ class CommentAdmin extends LeftAndMain {
if($_REQUEST['Comments']) {
foreach($_REQUEST['Comments'] as $commentid) {
$comment = DataObject::get_one('PageComment', "`PageComment`.ID = $commentid");
$comment = DataObject::get_by_id('PageComment', $commentid);
if($comment) {
$comment->delete();
$numComments++;
@ -171,7 +171,7 @@ JS;
if($_REQUEST['Comments']) {
foreach($_REQUEST['Comments'] as $commentid) {
$comment = DataObject::get_one('PageComment', "`PageComment`.ID = $commentid");
$comment = DataObject::get_by_id('PageComment', $commentid);
if($comment) {
$comment->IsSpam = true;
$comment->NeedsModeration = false;
@ -210,7 +210,7 @@ JS;
if($_REQUEST['Comments']) {
foreach($_REQUEST['Comments'] as $commentid) {
$comment = DataObject::get_one('PageComment', "`PageComment`.ID = $commentid");
$comment = DataObject::get_by_id('PageComment', $commentid);
if($comment) {
$comment->IsSpam = false;
$comment->NeedsModeration = false;
@ -250,7 +250,7 @@ JS;
if($_REQUEST['Comments']) {
foreach($_REQUEST['Comments'] as $commentid) {
$comment = DataObject::get_one('PageComment', "`PageComment`.ID = $commentid");
$comment = DataObject::get_by_id('PageComment', $commentid);
if($comment) {
$comment->IsSpam = false;
$comment->NeedsModeration = false;

13
code/SecurityAdmin.php
View File

@ -143,8 +143,13 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
$id = $_REQUEST['ID'];
if($id == 'new') $id = null;
if($id) $record = DataObject::get_one($className, "`$className`.ID = $id");
else $record = new $className();
if($id) {
$record = DataObject::get_by_id($className, $id);
if($record && !$record->canEdit()) return Security::permissionFailure($this);
} else {
if(!singleton($this->stat('subitem_class'))->canCreate()) return Security::permissionFailure($this);
$record = new $className();
}
$record->update($data);
$record->ID = $id;
@ -167,7 +172,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
$record->update($data);
$record->write();
if($data['GroupID']) $record->Groups()->add($data['GroupID']);
if($data['GroupID']) $record->Groups()->add((int)$data['GroupID']);
FormResponse::add("reloadMemberTableField();");
@ -179,7 +184,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
$memberID = $this->urlParams['OtherID'];
if(is_numeric($groupID) && is_numeric($memberID)) {
$member = DataObject::get_by_id('Member', (int) $memberID);
$member->Groups()->remove($groupID);
$member->Groups()->remove((int)$groupID);
FormResponse::add("reloadMemberTableField();");
} else {
user_error("SecurityAdmin::removememberfromgroup: Bad parameters: Group=$groupID, Member=$memberID", E_USER_ERROR);