tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

BUG Members should not be allowed to delete themselves (fixes #8121)

Browse Source
This commit is contained in:
Ingo Schommer 2012-12-15 20:23:50 +01:00
parent bf5590d873
commit 22eeaa4ac1
2 changed files with 35 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
security/Member.php
View File

@ -1294,16 +1294,20 @@ class Member extends DataObject implements TemplateGlobalProvider {
*/
public function canDelete($member = null) {
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
// extended access checks
$results = $this->extend('canDelete', $member);
if($results && is_array($results)) {
if(!min($results)) return false;
else return true;
}
// No member found
if(!($member && $member->exists())) return false;
// Members are not allowed to remove themselves,
// since it would create inconsistencies in the admin UIs.
if($this->ID && $member->ID == $this->ID) return false;
return $this->canEdit($member);
}

30
tests/security/MemberTest.php
View File

@ -432,7 +432,7 @@ class MemberTest extends FunctionalTest {
/* Logged in users can edit their own record */
$this->session()->inst_set('loggedInAs', $member->ID);
$this->assertTrue($member->canView());
$this->assertTrue($member->canDelete());
$this->assertFalse($member->canDelete());
$this->assertTrue($member->canEdit());
/* Other uses cannot view, delete or edit others records */
@ -653,6 +653,34 @@ class MemberTest extends FunctionalTest {
$this->assertFalse($m2->validateAutoLoginToken($m1Token), 'Fails token validity test against other member.');
}
public function testCanDelete() {
$admin1 = $this->objFromFixture('Member', 'admin');
$admin2 = $this->objFromFixture('Member', 'other-admin');
$member1 = $this->objFromFixture('Member', 'grouplessmember');
$member2 = $this->objFromFixture('Member', 'noformatmember');
$this->assertTrue(
$admin1->canDelete($admin2),
'Admins can delete other admins'
);
$this->assertTrue(
$member1->canDelete($admin2),
'Admins can delete non-admins'
);
$this->assertFalse(
$admin1->canDelete($admin1),
'Admins can not delete themselves'
);
$this->assertFalse(
$member1->canDelete($member2),
'Non-admins can not delete other non-admins'
);
$this->assertFalse(
$member1->canDelete($member1),
'Non-admins can not delete themselves'
);
}
}
class MemberTest_ViewingAllowedExtension extends DataExtension implements TestOnly {