mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge branch '3.6' into 3
This commit is contained in:
commit
4a9e991edb
9
docs/en/04_Changelogs/3.5.8.md
Normal file
9
docs/en/04_Changelogs/3.5.8.md
Normal file
@ -0,0 +1,9 @@
|
||||
# 3.5.8
|
||||
|
||||
<!--- Changes below this line will be automatically regenerated -->
|
||||
|
||||
## Change Log
|
||||
|
||||
### Security
|
||||
|
||||
* 2018-04-11 [577138882](https://github.com/silverstripe/silverstripe-framework/commit/577138882) Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See [ss-2018-001](http://www.silverstripe.org/download/security-releases/ss-2018-001)
|
17
docs/en/04_Changelogs/3.6.6.md
Normal file
17
docs/en/04_Changelogs/3.6.6.md
Normal file
@ -0,0 +1,17 @@
|
||||
# 3.6.6
|
||||
|
||||
This security release removes the following file extensions from the default whitelist of accepted types for
|
||||
uploaded files: `dotm`, `potm`, `jar`, `css`, `js` and `xltm`.
|
||||
|
||||
If you require the ability to upload these file types in your projects, you will need to add them back in again.
|
||||
For more information, see ["Limit the allowed file types"](https://docs.silverstripe.org/en/3/developer_guides/forms/field_types/uploadfield/#limit-the-allowed-filetypes).
|
||||
|
||||
<!--- Changes below this line will be automatically regenerated -->
|
||||
|
||||
## Change Log
|
||||
|
||||
### Security
|
||||
|
||||
* 2018-05-08 [19fdebfa2](https://github.com/silverstripe/silverstripe-framework/commit/19fdebfa2) Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See [ss-2018-014](http://www.silverstripe.org/download/security-releases/ss-2018-014)
|
||||
* 2018-04-11 [577138882](https://github.com/silverstripe/silverstripe-framework/commit/577138882) Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See [ss-2018-001](http://www.silverstripe.org/download/security-releases/ss-2018-001)
|
||||
|
9
docs/en/04_Changelogs/rc/3.5.8-rc1.md
Normal file
9
docs/en/04_Changelogs/rc/3.5.8-rc1.md
Normal file
@ -0,0 +1,9 @@
|
||||
# 3.5.8-rc1
|
||||
|
||||
<!--- Changes below this line will be automatically regenerated -->
|
||||
|
||||
## Change Log
|
||||
|
||||
### Security
|
||||
|
||||
* 2018-04-11 [577138882]() Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See [ss-2018-001](http://www.silverstripe.org/download/security-releases/ss-2018-001)
|
16
docs/en/04_Changelogs/rc/3.6.6-rc1.md
Normal file
16
docs/en/04_Changelogs/rc/3.6.6-rc1.md
Normal file
@ -0,0 +1,16 @@
|
||||
# 3.6.6-rc1
|
||||
|
||||
This security release removes the following file extensions from the default whitelist of accepted types for
|
||||
uploaded files: `dotm`, `potm`, `jar`, `css`, `js` and `xltm`.
|
||||
|
||||
If you require the ability to upload these file types in your projects, you will need to add them back in again.
|
||||
For more information, see ["Limit the allowed file types"](https://docs.silverstripe.org/en/3/developer_guides/forms/field_types/uploadfield/#limit-the-allowed-filetypes).
|
||||
|
||||
<!--- Changes below this line will be automatically regenerated -->
|
||||
|
||||
## Change Log
|
||||
|
||||
### Security
|
||||
|
||||
* 2018-05-08 [19fdebfa2]() Remove dotm, potm, jar, css, js, xltm from default File.allowed_extensions (Robbie Averill) - See [ss-2018-014](http://www.silverstripe.org/download/security-releases/ss-2018-014)
|
||||
* 2018-04-11 [577138882]() Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See [ss-2018-001](http://www.silverstripe.org/download/security-releases/ss-2018-001)
|
@ -126,11 +126,11 @@ class File extends DataObject {
|
||||
* Instructions for the change you need to make are included in a comment in the config file.
|
||||
*/
|
||||
private static $allowed_extensions = array(
|
||||
'','ace','arc','arj','asf','au','avi','bmp','bz2','cab','cda','css','csv','dmg','doc','docx','dotx','dotm',
|
||||
'flv','gif','gpx','gz','hqx','ico','jar','jpeg','jpg','js','kml', 'm4a','m4v',
|
||||
'','ace','arc','arj','asf','au','avi','bmp','bz2','cab','cda','csv','dmg','doc','docx','dotx',
|
||||
'flv','gif','gpx','gz','hqx','ico','jpeg','jpg','kml', 'm4a','m4v',
|
||||
'mid','midi','mkv','mov','mp3','mp4','mpa','mpeg','mpg','ogg','ogv','pages','pcx','pdf','pkg',
|
||||
'png','pps','ppt','pptx','potx','potm','ra','ram','rm','rtf','sit','sitx', 'tar','tgz','tif','tiff',
|
||||
'txt','wav','webm','wma','wmv','xls','xlsx','xltx','xltm','zip','zipx',
|
||||
'png','pps','ppt','pptx','potx','ra','ram','rm','rtf','sit','sitx', 'tar','tgz','tif','tiff',
|
||||
'txt','wav','webm','wma','wmv','xls','xlsx','xltx','zip','zipx',
|
||||
);
|
||||
|
||||
/**
|
||||
|
@ -1052,15 +1052,24 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
||||
* @return boolean True if the change can be accepted
|
||||
*/
|
||||
public function onChangeGroups($ids) {
|
||||
// Ensure none of these match disallowed list
|
||||
$disallowedGroupIDs = $this->disallowedGroups();
|
||||
return count(array_intersect($ids, $disallowedGroupIDs)) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* List of group IDs this user is disallowed from
|
||||
*
|
||||
* @return int[] List of group IDs
|
||||
*/
|
||||
protected function disallowedGroups() {
|
||||
// unless the current user is an admin already OR the logged in user is an admin
|
||||
if(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
|
||||
return true;
|
||||
if (Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
|
||||
return array();
|
||||
}
|
||||
|
||||
// If there are no admin groups in this set then it's ok
|
||||
$adminGroups = Permission::get_groups_by_permission('ADMIN');
|
||||
$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
|
||||
return count(array_intersect($ids, $adminGroupIDs)) == 0;
|
||||
// Non-admins may not belong to admin groups
|
||||
return Permission::get_groups_by_permission('ADMIN')->column('ID');
|
||||
}
|
||||
|
||||
|
||||
@ -1475,12 +1484,18 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
||||
$fields->removeByName('LoggedPasswords');
|
||||
|
||||
if(Permission::check('EDIT_PERMISSIONS')) {
|
||||
$groupsMap = array();
|
||||
foreach(Group::get() as $group) {
|
||||
// Listboxfield values are escaped, use ASCII char instead of »
|
||||
$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
|
||||
}
|
||||
asort($groupsMap);
|
||||
// Filter allowed groups
|
||||
$groups = Group::get();
|
||||
$disallowedGroupIDs = $this->disallowedGroups();
|
||||
if ($disallowedGroupIDs) {
|
||||
$groups = $groups->exclude('ID', $disallowedGroupIDs);
|
||||
}
|
||||
$groupsMap = array();
|
||||
foreach ($groups as $group) {
|
||||
// Listboxfield values are escaped, use ASCII char instead of »
|
||||
$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
|
||||
}
|
||||
asort($groupsMap);
|
||||
$fields->addFieldToTab('Root.Main',
|
||||
ListboxField::create('DirectGroups', singleton('Group')->i18n_plural_name())
|
||||
->setMultiple(true)
|
||||
|
@ -665,6 +665,36 @@ class MemberTest extends FunctionalTest {
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure DirectGroups listbox disallows admin-promotion
|
||||
*/
|
||||
public function testAllowedGroupsListbox() {
|
||||
/** @var Group $adminGroup */
|
||||
$adminGroup = $this->objFromFixture('Group', 'admingroup');
|
||||
/** @var Member $staffMember */
|
||||
$staffMember = $this->objFromFixture('Member', 'staffmember');
|
||||
/** @var Member $adminMember */
|
||||
$adminMember = $this->objFromFixture('Member', 'admin');
|
||||
|
||||
// Ensure you can see the DirectGroups box
|
||||
$this->logInWithPermission('EDIT_PERMISSIONS');
|
||||
|
||||
// Non-admin member field contains non-admin groups
|
||||
/** @var ListboxField $staffListbox */
|
||||
$staffListbox = $staffMember->getCMSFields()->dataFieldByName('DirectGroups');
|
||||
$this->assertArrayNotHasKey($adminGroup->ID, $staffListbox->getSource());
|
||||
|
||||
// admin member field contains admin group
|
||||
/** @var ListboxField $adminListbox */
|
||||
$adminListbox = $adminMember->getCMSFields()->dataFieldByName('DirectGroups');
|
||||
$this->assertArrayHasKey($adminGroup->ID, $adminListbox->getSource());
|
||||
|
||||
// If logged in as admin, staff listbox has admin group
|
||||
$this->logInWithPermission('ADMIN');
|
||||
$staffListbox = $staffMember->getCMSFields()->dataFieldByName('DirectGroups');
|
||||
$this->assertArrayHasKey($adminGroup->ID, $staffListbox->getSource());
|
||||
}
|
||||
|
||||
/**
|
||||
* Test Member_GroupSet::add
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user