tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Fix administrators not being able to see files that are restricted to groups

Browse Source 
Resolves https://github.com/silverstripe/silverstripe-asset-admin/issues/777
This commit is contained in:
bergice 2019-09-16 17:41:21 +12:00
parent 92300051a7
commit 6a1c6ecec6
3 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/Security/InheritedPermissions.php
View File

@ -357,21 +357,25 @@ class InheritedPermissions implements PermissionChecker, MemberCacheFlusher
$baseTable = DataObject::getSchema()->baseDataTable($this->getBaseClass()); $baseTable = DataObject::getSchema()->baseDataTable($this->getBaseClass());
if ($member && $member->ID) { if ($member && $member->ID) {
// Determine if this member matches any of the group or other rules if (!Permission::checkMember($member, 'ADMIN')) {
$groupJoinTable = $this->getJoinTable($type); // Determine if this member matches any of the group or other rules
$uninheritedPermissions = $stageRecords $groupJoinTable = $this->getJoinTable($type);
->where([ $uninheritedPermissions = $stageRecords
"(\"$typeField\" IN (?, ?) OR " . "(\"$typeField\" = ? AND \"$groupJoinTable\".\"{$baseTable}ID\" IS NOT NULL))" ->where([
=> [ "(\"$typeField\" IN (?, ?) OR " . "(\"$typeField\" = ? AND \"$groupJoinTable\".\"{$baseTable}ID\" IS NOT NULL))"
self::ANYONE, => [
self::LOGGED_IN_USERS, self::ANYONE,
self::ONLY_THESE_USERS self::LOGGED_IN_USERS,
] self::ONLY_THESE_USERS
]) ]
->leftJoin( ])
$groupJoinTable, ->leftJoin(
"\"$groupJoinTable\".\"{$baseTable}ID\" = \"{$baseTable}\".\"ID\" AND " . "\"$groupJoinTable\".\"GroupID\" IN ($groupIDsSQLList)" $groupJoinTable,
)->column('ID'); "\"$groupJoinTable\".\"{$baseTable}ID\" = \"{$baseTable}\".\"ID\" AND " . "\"$groupJoinTable\".\"GroupID\" IN ($groupIDsSQLList)"
)->column('ID');
} else {
$uninheritedPermissions = $stageRecords->column('ID');
}
} else { } else {
// Only view pages with ViewType = Anyone if not logged in // Only view pages with ViewType = Anyone if not logged in
$uninheritedPermissions = $stageRecords $uninheritedPermissions = $stageRecords

5
tests/php/Security/InheritedPermissionsTest.php
View File

@ -151,6 +151,8 @@ class InheritedPermissionsTest extends SapphireTest
$protected = $this->objFromFixture(TestPermissionNode::class, 'protected'); $protected = $this->objFromFixture(TestPermissionNode::class, 'protected');
$protectedChild = $this->objFromFixture(TestPermissionNode::class, 'protected-child'); $protectedChild = $this->objFromFixture(TestPermissionNode::class, 'protected-child');
$editor = $this->objFromFixture(Member::class, 'editor'); $editor = $this->objFromFixture(Member::class, 'editor');
$restricted = $this->objFromFixture(TestPermissionNode::class, 'restricted-page');
$admin = $this->objFromFixture(Member::class, 'admin');
// Not logged in user can only access Inherit or Anyone pages // Not logged in user can only access Inherit or Anyone pages
Member::actAs( Member::actAs(
@ -182,6 +184,9 @@ class InheritedPermissionsTest extends SapphireTest
$this->rootPermissions->setCanView(false); $this->rootPermissions->setCanView(false);
$this->assertFalse($history->canView($editor)); $this->assertFalse($history->canView($editor));
// Ensure admins can view everything, even if only a certain group is allowed to view it
$this->assertTrue($restricted->canView($admin));
} }
public function testUnstagedViewPermissions() public function testUnstagedViewPermissions()

8
tests/php/Security/InheritedPermissionsTest.yml
View File

@ -100,6 +100,10 @@ SilverStripe\Security\Tests\InheritedPermissionsTest\TestPermissionNode:
Title: Child Title: Child
CanViewType: Inherit CanViewType: Inherit
Parent: =>SilverStripe\Security\Tests\InheritedPermissionsTest\TestPermissionNode.protected Parent: =>SilverStripe\Security\Tests\InheritedPermissionsTest\TestPermissionNode.protected
restricted-page:
Title: Restricted Page
CanViewType: OnlyTheseUsers
ViewerGroups: =>SilverStripe\Security\Group.allsections
SilverStripe\Security\Tests\InheritedPermissionsTest\UnstagedNode: SilverStripe\Security\Tests\InheritedPermissionsTest\UnstagedNode:
about: about:
@ -167,3 +171,7 @@ SilverStripe\Security\Tests\InheritedPermissionsTest\UnstagedNode:
Title: Child Title: Child
CanViewType: Inherit CanViewType: Inherit
Parent: =>SilverStripe\Security\Tests\InheritedPermissionsTest\UnstagedNode.protected Parent: =>SilverStripe\Security\Tests\InheritedPermissionsTest\UnstagedNode.protected
restricted-page:
Title: Restricted Page
CanViewType: OnlyTheseUsers
ViewerGroups: =>SilverStripe\Security\Group.allsections