mirror of
https://github.com/silverstripe/silverstripe-cms
synced 2024-10-22 08:05:56 +02:00
[SS-2016-012] FIX Missing ACL check on ReportAdmin
This issue exposed reports to users able to guess the URL of a Report that they were not allowed to view the report
This commit is contained in:
parent
4d17dcc799
commit
5f73d3454e
@ -31,10 +31,12 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
|
||||
*/
|
||||
protected $reportClass;
|
||||
|
||||
/**
|
||||
* @var SS_Report
|
||||
*/
|
||||
protected $reportObject;
|
||||
|
||||
public function init() {
|
||||
parent::init();
|
||||
|
||||
//set the report we are currently viewing from the URL
|
||||
$this->reportClass = (isset($this->urlParams['ReportClass']) && $this->urlParams['ReportClass'] !== 'index')
|
||||
@ -43,6 +45,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
|
||||
$allReports = SS_Report::get_reports();
|
||||
$this->reportObject = (isset($allReports[$this->reportClass])) ? $allReports[$this->reportClass] : null;
|
||||
|
||||
parent::init();
|
||||
|
||||
Requirements::css(CMS_DIR . '/css/screen.css');
|
||||
|
||||
// Set custom options for TinyMCE specific to ReportAdmin
|
||||
@ -68,7 +72,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
|
||||
|
||||
if(!parent::canView($member)) return false;
|
||||
|
||||
$hasViewableSubclasses = false;
|
||||
if ($this->reportObject) return $this->reportObject->canView($member);
|
||||
|
||||
foreach($this->Reports() as $report) {
|
||||
if($report->canView($member)) return true;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user