Merge pull request #4618 from dhensby/pulls/permission-check-empty-admin

Members with no ID have no permissions
2024-10-22 12:05:37 +00:00 · 2016-01-06 13:50:08 +13:00 · 2016-01-06 13:50:08 +13:00 · 63a1739493
commit 63a1739493
parent d63441623a 4335d8ed22
2 changed files with 15 additions and 1 deletions
--- a/security/Permission.php
+++ b/security/Permission.php
@ -163,6 +163,10 @@ class Permission extends DataObject implements TemplateGlobalProvider {
 			$memberID = (is_object($member)) ? $member->ID : $member;
 		}

+		if (!$memberID) {
+			return false;
+		}
+
 		// Turn the code into an array as we may need to add other permsissions to the set we check
 		if(!is_array($code)) $code = array($code);

--- a/tests/security/PermissionTest.php
+++ b/tests/security/PermissionTest.php
@ -124,4 +124,14 @@ class PermissionTest extends SapphireTest {
 		Config::inst()->remove('Permission', 'hidden_permissions');		
 		$this->assertContains('CMS_ACCESS_LeftAndMain', $permissionCheckboxSet->Field());
 	}
+
+	public function testEmptyMemberFails() {
+		$member = new Member();
+		$this->assertFalse($member->exists());
+
+		$this->logInWithPermission('ADMIN');
+
+		$this->assertFalse(Permission::checkMember($member, 'ADMIN'));
+		$this->assertFalse(Permission::checkMember($member, 'CMS_ACCESS_LeftAndMain'));
+	}
 }