tonyair/silverstripe-cms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-cms synced 2024-10-22 06:05:56 +00:00
Code Issues Projects Releases Wiki Activity

FIX Privilege escalation through Group and Member CSV upload (SS-2013-004)

Browse Source 
See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/
This commit is contained in:
Ingo Schommer 2013-08-30 15:43:02 +02:00
parent 2713c462a2
commit 6543b4e6f0
1 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
code/SecurityAdmin.php
View File

@ -70,16 +70,20 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
$fields = $record->getCMSFields(); $fields = $record->getCMSFields();
if($fields->hasTabSet()) { if($fields->hasTabSet()) {
$fields->findOrMakeTab('Root.Import',_t('Group.IMPORTTABTITLE', 'Import')); // Add import capabilities. Limit to admin since the import logic can affect assigned permissions
$fields->addFieldToTab('Root.Import', if(Permission::check('ADMIN')) {
new LiteralField( $fields->findOrMakeTab('Root.Import',_t('Group.IMPORTTABTITLE', 'Import'));
'MemberImportFormIframe', $fields->addFieldToTab('Root.Import',
sprintf( new LiteralField(
'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="400px" border="0"></iframe>', 'MemberImportFormIframe',
$this->Link('memberimport') sprintf(
'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="400px" border="0"></iframe>',
$this->Link('memberimport')
)
) )
) );
); }
if(Permission::check('APPLY_ROLES')) { if(Permission::check('APPLY_ROLES')) {
$fields->addFieldToTab( $fields->addFieldToTab(
'Root.Roles', 'Root.Roles',
@ -147,8 +151,19 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
) )
) )
) )
), )
new Tab('Import', _t('SecurityAdmin.TABIMPORT', 'Import'), ),
// necessary for tree node selection in LeftAndMain.EditForm.js
new HiddenField('ID', false, 0)
);
// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
if(Permission::check('ADMIN')) {
$fields->addFieldsToTab(
'Root',
new Tab(
'Import',
_t('SecurityAdmin.TABIMPORT', 'Import'),
new LiteralField( new LiteralField(
'GroupImportFormIframe', 'GroupImportFormIframe',
sprintf( sprintf(
@ -157,10 +172,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
) )
) )
) )
), );
// necessary for tree node selection in LeftAndMain.EditForm.js }
new HiddenField('ID', false, 0)
);
// Add roles editing interface // Add roles editing interface
if(Permission::check('APPLY_ROLES')) { if(Permission::check('APPLY_ROLES')) {
@ -217,6 +230,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
* @return Form * @return Form
*/ */
public function MemberImportForm() { public function MemberImportForm() {
if(!Permission::check('ADMIN')) return false;
$group = $this->currentPage(); $group = $this->currentPage();
$form = new MemberImportForm( $form = new MemberImportForm(
$this, $this,
@ -249,6 +264,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
* @return Form * @return Form
*/ */
public function GroupImportForm() { public function GroupImportForm() {
if(!Permission::check('ADMIN')) return false;
$form = new GroupImportForm( $form = new GroupImportForm(
$this, $this,
'GroupImportForm' 'GroupImportForm'