tonyair/silverstripe-cms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-cms synced 2024-10-22 06:05:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1341 from open-sausages/pulls/3/fix-versioned-canview

Browse Source 
API Refactor versioned security into core module
This commit is contained in:
Ingo Schommer 2015-12-10 10:57:04 +13:00
commit cb76ddd32f
2 changed files with 0 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
code/controllers/ContentController.php
View File

@ -110,33 +110,6 @@ class ContentController extends Controller {
return Security::permissionFailure($this);
}
// Draft/Archive security check - only CMS users should be able to look at stage/archived content
if(
$this->URLSegment != 'Security'
&& !Session::get('unsecuredDraftSite')
&& (
Versioned::current_archived_date()
|| (Versioned::current_stage() && Versioned::current_stage() != 'Live')
)
) {
if(!$this->dataRecord->canView()) {
Session::clear('currentStage');
Session::clear('archiveDate');
$permissionMessage = sprintf(
_t(
"ContentController.DRAFT_SITE_ACCESS_RESTRICTION",
'You must log in with your CMS password in order to view the draft or archived content. '.
'<a href="%s">Click here to go back to the published site.</a>'
),
Controller::join_links($this->Link(), "?stage=Live")
);
return Security::permissionFailure($this, $permissionMessage);
}
}
// Use theme from the site config
if(($config = SiteConfig::current_site_config()) && $config->Theme) {
Config::inst()->update('SSViewer', 'theme', $config->Theme);

37
code/model/SiteTree.php
View File

@ -903,23 +903,6 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid
// admin override
if($member && Permission::checkMember($member, array("ADMIN", "SITETREE_VIEW_ALL"))) return true;
// make sure we were loaded off an allowed stage
// Were we definitely loaded directly off Live during our query?
$fromLive = true;
foreach (array('mode' => 'stage', 'stage' => 'live') as $param => $match) {
$fromLive = $fromLive && strtolower((string)$this->getSourceQueryParam("Versioned.$param")) == $match;
}
if(!$fromLive
&& !Session::get('unsecuredDraftSite')
&& !Permission::checkMember($member, array('CMS_ACCESS_LeftAndMain', 'CMS_ACCESS_CMSMain', 'VIEW_DRAFT_CONTENT'))) {
// If we weren't definitely loaded from live, and we can't view non-live content, we need to
// check to make sure this version is the live version and so can be viewed
if (Versioned::get_versionnumber_by_stage($this->class, 'Live', $this->ID) != $this->Version) return false;
}
// Orphaned pages (in the current stage) are unavailable, except for admins via the CMS
if($this->isOrphaned()) return false;
@ -952,26 +935,6 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid
return false;
}
/**
* Determines canView permissions for the latest version of this Page on a specific stage (see {@link Versioned}).
* Usually the stage is read from {@link Versioned::current_stage()}.
*
* @todo Implement in CMS UI.
*
* @param string $stage
* @param Member $member
* @return bool
*/
public function canViewStage($stage = 'Live', $member = null) {
$oldMode = Versioned::get_reading_mode();
Versioned::reading_stage($stage);
$versionFromStage = DataObject::get($this->class)->byID($this->ID);
Versioned::set_reading_mode($oldMode);
return $versionFromStage ? $versionFromStage->canView($member) : false;
}
/**
* This function should return true if the current user can delete this page. It can be overloaded to customise the