tonyair
/
silverstripe-cms
mirror of https://github.com/silverstripe/silverstripe-cms
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

FIX Privilege escalation through Group and Member CSV upload (SS-2013-004) 

See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/
This commit is contained in:
Ingo Schommer 2013-08-30 15:43:02 +02:00
parent 2713c462a2
commit 6543b4e6f0
1 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
code/SecurityAdmin.php
View File

@ -70,16 +70,20 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
$fields = $record->getCMSFields();
if($fields->hasTabSet()) {
$fields->findOrMakeTab('Root.Import',_t('Group.IMPORTTABTITLE', 'Import'));
$fields->addFieldToTab('Root.Import',
new LiteralField(
'MemberImportFormIframe',
sprintf(
'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="400px" border="0"></iframe>',
$this->Link('memberimport')
// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
if(Permission::check('ADMIN')) {
$fields->findOrMakeTab('Root.Import',_t('Group.IMPORTTABTITLE', 'Import'));
$fields->addFieldToTab('Root.Import',
new LiteralField(
'MemberImportFormIframe',
sprintf(
'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="400px" border="0"></iframe>',
$this->Link('memberimport')
)
)
)
);
);
}
if(Permission::check('APPLY_ROLES')) {
$fields->addFieldToTab(
'Root.Roles',
@ -147,8 +151,19 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
)
)
)
),
new Tab('Import', _t('SecurityAdmin.TABIMPORT', 'Import'),
)
),
// necessary for tree node selection in LeftAndMain.EditForm.js
new HiddenField('ID', false, 0)
);
// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
if(Permission::check('ADMIN')) {
$fields->addFieldsToTab(
'Root',
new Tab(
'Import',
_t('SecurityAdmin.TABIMPORT', 'Import'),
new LiteralField(
'GroupImportFormIframe',
sprintf(
@ -157,10 +172,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
)
)
)
),
// necessary for tree node selection in LeftAndMain.EditForm.js
new HiddenField('ID', false, 0)
);
);
}
// Add roles editing interface
if(Permission::check('APPLY_ROLES')) {
@ -217,6 +230,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
* @return Form
*/
public function MemberImportForm() {
if(!Permission::check('ADMIN')) return false;
$group = $this->currentPage();
$form = new MemberImportForm(
$this,
@ -249,6 +264,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
* @return Form
*/
public function GroupImportForm() {
if(!Permission::check('ADMIN')) return false;
$form = new GroupImportForm(
$this,
'GroupImportForm'