From 5f73d3454ecbc4850e91a0a3007102f6d4d9b853 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 14 Jul 2016 16:25:22 +0100 Subject: [PATCH] [SS-2016-012] FIX Missing ACL check on ReportAdmin This issue exposed reports to users able to guess the URL of a Report that they were not allowed to view the report --- code/controllers/ReportAdmin.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/code/controllers/ReportAdmin.php b/code/controllers/ReportAdmin.php index 1683dafa..0b11276c 100644 --- a/code/controllers/ReportAdmin.php +++ b/code/controllers/ReportAdmin.php @@ -31,10 +31,12 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { */ protected $reportClass; + /** + * @var SS_Report + */ protected $reportObject; public function init() { - parent::init(); //set the report we are currently viewing from the URL $this->reportClass = (isset($this->urlParams['ReportClass']) && $this->urlParams['ReportClass'] !== 'index') @@ -43,6 +45,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { $allReports = SS_Report::get_reports(); $this->reportObject = (isset($allReports[$this->reportClass])) ? $allReports[$this->reportClass] : null; + parent::init(); + Requirements::css(CMS_DIR . '/css/screen.css'); // Set custom options for TinyMCE specific to ReportAdmin @@ -68,7 +72,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { if(!parent::canView($member)) return false; - $hasViewableSubclasses = false; + if ($this->reportObject) return $this->reportObject->canView($member); + foreach($this->Reports() as $report) { if($report->canView($member)) return true; }