tonyair/silverstripe-cms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-cms synced 2024-10-22 08:05:56 +02:00
Code Issues Projects Releases Wiki Activity

[SS-2016-012] FIX Missing ACL check on ReportAdmin

Browse Source 
This issue exposed reports to users able to guess the URL of a Report that they were not allowed to view the report
This commit is contained in:
Daniel Hensby 2016-07-14 16:25:22 +01:00 committed by Damian Mooyman
parent 4d17dcc799
commit 5f73d3454e
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
code/controllers/ReportAdmin.php
View File

@ -31,10 +31,12 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
*/ */
protected $reportClass; protected $reportClass;
/**
* @var SS_Report
*/
protected $reportObject; protected $reportObject;
public function init() { public function init() {
parent::init();
//set the report we are currently viewing from the URL //set the report we are currently viewing from the URL
$this->reportClass = (isset($this->urlParams['ReportClass']) && $this->urlParams['ReportClass'] !== 'index') $this->reportClass = (isset($this->urlParams['ReportClass']) && $this->urlParams['ReportClass'] !== 'index')
@ -43,6 +45,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
$allReports = SS_Report::get_reports(); $allReports = SS_Report::get_reports();
$this->reportObject = (isset($allReports[$this->reportClass])) ? $allReports[$this->reportClass] : null; $this->reportObject = (isset($allReports[$this->reportClass])) ? $allReports[$this->reportClass] : null;
parent::init();
Requirements::css(CMS_DIR . '/css/screen.css'); Requirements::css(CMS_DIR . '/css/screen.css');
// Set custom options for TinyMCE specific to ReportAdmin // Set custom options for TinyMCE specific to ReportAdmin
@ -68,7 +72,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
if(!parent::canView($member)) return false; if(!parent::canView($member)) return false;
$hasViewableSubclasses = false; if ($this->reportObject) return $this->reportObject->canView($member);
foreach($this->Reports() as $report) { foreach($this->Reports() as $report) {
if($report->canView($member)) return true; if($report->canView($member)) return true;
} }