From 3398f670d881447f8777b567f1ead7c0d8d253f5 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Wed, 17 Feb 2016 17:30:51 +1300
Subject: [PATCH] [ss-2015-028] Block unauthenticated access to
 dev/build/defaults

---
 dev/DevelopmentAdmin.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dev/DevelopmentAdmin.php b/dev/DevelopmentAdmin.php
index 348391085..b861f73c9 100644
--- a/dev/DevelopmentAdmin.php
+++ b/dev/DevelopmentAdmin.php
@@ -33,8 +33,9 @@ class DevelopmentAdmin extends Controller {
 		parent::init();
 
 		// Special case for dev/build: Defer permission checks to DatabaseAdmin->init() (see #4957)
-		$requestedDevBuild = (stripos($this->getRequest()->getURL(), 'dev/build') === 0);
-
+		$requestedDevBuild = (stripos($this->getRequest()->getURL(), 'dev/build') === 0)
+			&& (stripos($this->getRequest()->getURL(), 'dev/build/defaults') === false);
+		
 		// We allow access to this controller regardless of live-status or ADMIN permission only
 		// if on CLI.  Access to this controller is always allowed in "dev-mode", or of the user is ADMIN.
 		$canAccess = (