From a3295e2a37b6231a7c60dc4facc09e14372ae5a7 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Fri, 12 Oct 2012 15:37:07 +0200 Subject: [PATCH] API File->canEdit() returns TRUE by default (not checking CMS perms) This is a measure to support form fields and controllers interacting with files in different contexts, for example an UploadField used in a ModelAdmin, or a website frontend. The check for 'CMS_ACCESS_AssetAdmin' was too restricting. This wasn't a problem in 2.x simply because the old FileField/Upload classes didn't respect File->can*() permissions. --- docs/en/changelogs/3.1.0.md | 3 ++- filesystem/File.php | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/en/changelogs/3.1.0.md b/docs/en/changelogs/3.1.0.md index 20f531d1f..7807c2db9 100644 --- a/docs/en/changelogs/3.1.0.md +++ b/docs/en/changelogs/3.1.0.md @@ -9,4 +9,5 @@ * Removed defunct or unnecessary debug GET parameters: `debug_profile`, `debug_memory`, `profile_trace`, `debug_javascript`, `debug_behaviour` * Removed `Member_ProfileForm`, use `CMSProfileController` instead - * `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`. \ No newline at end of file + * `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`. + * Removed CMS permission checks from `File->canEdit()` and `File->canDelete()`. If you have unsecured controllers relying on these permissions, please override them through a `DataExtension`. \ No newline at end of file diff --git a/filesystem/File.php b/filesystem/File.php index a66bd562b..9d6b4b171 100644 --- a/filesystem/File.php +++ b/filesystem/File.php @@ -293,7 +293,7 @@ class File extends DataObject { $result = $this->extendedCan('canEdit', $member); if($result !== null) return $result; - return Permission::checkMember($member, 'CMS_ACCESS_AssetAdmin'); + return true; } /**