From 5d27ea4be137f62b969558482c55309abbbbf787 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Fri, 24 Oct 2014 11:31:33 +1300
Subject: [PATCH] BUG File attach handler is no longer accessible if attachment
 is disallowed or disabled

---
 forms/UploadField.php                       | 1 +
 tests/forms/uploadfield/UploadFieldTest.php | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/forms/UploadField.php b/forms/UploadField.php
index e5b161da4..015661a69 100644
--- a/forms/UploadField.php
+++ b/forms/UploadField.php
@@ -1089,6 +1089,7 @@ class UploadField extends FileField {
 	 * @return UploadField_ItemHandler
 	 */
 	public function handleSelect(SS_HTTPRequest $request) {
+		if(!$this->canAttachExisting()) return $this->httpError(403);
 		return UploadField_SelectHandler::create($this, $this->getFolderName());
 	}
 	
diff --git a/tests/forms/uploadfield/UploadFieldTest.php b/tests/forms/uploadfield/UploadFieldTest.php
index 89dac5e0c..27b37b02f 100644
--- a/tests/forms/uploadfield/UploadFieldTest.php
+++ b/tests/forms/uploadfield/UploadFieldTest.php
@@ -621,6 +621,12 @@ class UploadFieldTest extends FunctionalTest {
 			(bool)$parser->getBySelector('#CanAttachExistingFalseField .ss-uploadfield-fromfiles'),
 			'Removes "From files" button'
 		);
+
+		// Test requests to select files have the correct given permission
+		$response2 = $this->get('UploadFieldTest_Controller/Form/field/CanAttachExistingFalseField/select');
+		$this->assertEquals(403, $response2->getStatusCode());
+		$response3 = $this->get('UploadFieldTest_Controller/Form/field/HasOneFile/select');
+		$this->assertEquals(200, $response3->getStatusCode());
 	}
 
 	public function testSelect() {