From 2fae9280e58849530fddb49bca8f0a423cf356e7 Mon Sep 17 00:00:00 2001 From: Hamish Friedlander Date: Thu, 8 Aug 2013 17:17:35 +1200 Subject: [PATCH 1/2] FIX ArchiveDate enforcement --- code/controllers/ContentController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/controllers/ContentController.php b/code/controllers/ContentController.php index 0ff261c5..9851f9df 100644 --- a/code/controllers/ContentController.php +++ b/code/controllers/ContentController.php @@ -108,7 +108,7 @@ class ContentController extends Controller { // Draft/Archive security check - only CMS users should be able to look at stage/archived content if($this->URLSegment != 'Security' && !Session::get('unsecuredDraftSite') && (Versioned::current_archived_date() || (Versioned::current_stage() && Versioned::current_stage() != 'Live'))) { - if(!$this->dataRecord->canViewStage(Versioned::current_stage())) { + if(!$this->dataRecord->canViewStage(Versioned::current_archived_date() ? 'Stage' : Versioned::current_stage())) { $link = $this->Link(); $message = _t("ContentController.DRAFT_SITE_ACCESS_RESTRICTION", 'You must log in with your CMS password in order to view the draft or archived content. Click here to go back to the published site.'); Session::clear('currentStage'); From b1664f86a430e52f65d12019ef4367eaa7a96c4e Mon Sep 17 00:00:00 2001 From: Simon Welsh Date: Fri, 9 Aug 2013 10:45:09 +1200 Subject: [PATCH 2/2] FIX Check for stage and drafts in SiteTree::canView() --- code/model/SiteTree.php | 17 +++++++++++++++++ tests/search/SearchFormTest.php | 9 +++++++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/code/model/SiteTree.php b/code/model/SiteTree.php index 19a5d171..9801f8ea 100644 --- a/code/model/SiteTree.php +++ b/code/model/SiteTree.php @@ -787,6 +787,23 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid // admin override if($member && Permission::checkMember($member, array("ADMIN", "SITETREE_VIEW_ALL"))) return true; + // make sure we were loaded off an allowed stage + + // Were we definitely loaded directly off Live during our query? + $fromLive = true; + + foreach (array('mode' => 'stage', 'stage' => 'live') as $param => $match) { + $fromLive = $fromLive && strtolower((string)$this->getSourceQueryParam("Versioned.$param")) == $match; + } + + if(!$fromLive + && !Session::get('unsecuredDraftSite') + && !Permission::checkMember($member, array('CMS_ACCESS_CMSMain', 'VIEW_DRAFT_CONTENT'))) { + // If we weren't definitely loaded from live, and we can't view non-live content, we need to + // check to make sure this version is the live version and so can be viewed + if (Versioned::get_versionnumber_by_stage($this->class, 'Live', $this->ID) != $this->Version) return false; + } + // Standard mechanism for accepting permission changes from extensions $extended = $this->extendedCan('canView', $member); if($extended !== null) return $extended; diff --git a/tests/search/SearchFormTest.php b/tests/search/SearchFormTest.php index c0794fa0..257525b5 100644 --- a/tests/search/SearchFormTest.php +++ b/tests/search/SearchFormTest.php @@ -88,6 +88,7 @@ class ZZZSearchFormTest extends FunctionalTest { $sf = new SearchForm($this->mockController, 'SearchForm'); $page = $this->objFromFixture('SiteTree', 'restrictedViewLoggedInUsers'); + $page->publish('Stage', 'Live'); $results = $sf->getResults(null, array('Search'=>'restrictedViewLoggedInUsers')); $this->assertNotContains( $page->ID, @@ -110,6 +111,7 @@ class ZZZSearchFormTest extends FunctionalTest { $sf = new SearchForm($this->mockController, 'SearchForm'); $page = $this->objFromFixture('SiteTree', 'restrictedViewOnlyWebsiteUsers'); + $page->publish('Stage', 'Live'); $results = $sf->getResults(null, array('Search'=>'restrictedViewOnlyWebsiteUsers')); $this->assertNotContains( $page->ID, @@ -138,11 +140,14 @@ class ZZZSearchFormTest extends FunctionalTest { $member->logOut(); } - public function testInheritedRestrictedPagesNotInlucded() { + public function testInheritedRestrictedPagesNotIncluded() { $sf = new SearchForm($this->mockController, 'SearchForm'); + + $parent = $this->objFromFixture('SiteTree', 'restrictedViewLoggedInUsers'); + $parent->publish('Stage', 'Live'); $page = $this->objFromFixture('SiteTree', 'inheritRestrictedView'); - + $page->publish('Stage', 'Live'); $results = $sf->getResults(null, array('Search'=>'inheritRestrictedView')); $this->assertNotContains( $page->ID,