FIX Privilege escalation through Group and Member CSV upload (SS-2013-004)

See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/

admin/code/SecurityAdmin.php

@@ -86,7 +86,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		$columns->setDisplayFields(array(
 			'Breadcrumbs' => singleton('Group')->fieldLabel('Title')
 		));
-		
+
 		$fields = new FieldList(
 			$root = new TabSet(
 				'Root',
@@ -100,34 +100,42 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 									. ' database'
 							)
 						)
-					),
-					new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3),
-					new LiteralField(
-						'MemberImportFormIframe',
-						sprintf(
-							'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" border="0">'
-							. '</iframe>',
-							$this->Link('memberimport')
-						)
 					)
 				),
 				$groupsTab = new Tab('Groups', singleton('Group')->i18n_plural_name(),
-					$groupList,
-					new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3),
-					new LiteralField(
-						'GroupImportFormIframe',
-						sprintf(
-							'<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" border="0">'
-							. '</iframe>',
-							$this->Link('groupimport')
-						)
-					)
+					$groupList
 				)
 			),
 			// necessary for tree node selection in LeftAndMain.EditForm.js
 			new HiddenField('ID', false, 0)
 		);
 
+		// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
+		if(Permission::check('ADMIN')) {
+			$fields->addFieldsToTab('Root.Users', array(
+				new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3),
+				new LiteralField(
+					'MemberImportFormIframe',
+					sprintf(
+						'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" border="0">'
+						. '</iframe>',
+						$this->Link('memberimport')
+					)
+				)
+			));
+			$fields->addFieldsToTab('Root.Groups', array(
+				new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3),
+				new LiteralField(
+					'GroupImportFormIframe',
+					sprintf(
+						'<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" border="0">'
+						. '</iframe>',
+						$this->Link('groupimport')
+					)
+				)
+			));
+		}
+
 		// Tab nav in CMS is rendered through separate template		
 		$root->setTemplate('CMSTabSet');
 		
@@ -194,6 +202,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 	 * @return Form
 	 */
 	public function MemberImportForm() {
+		if(!Permission::check('ADMIN')) return false;
+
 		$group = $this->currentPage();
 		$form = new MemberImportForm(
 			$this,
@@ -224,6 +234,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 	 * @return Form
 	 */
 	public function GroupImportForm() {
+		if(!Permission::check('ADMIN')) return false;
+
 		$form = new GroupImportForm(
 			$this,
 			'GroupImportForm'

docs/en/changelogs/3.0.6.md

@@ -26,6 +26,10 @@ a custom start up script will still process all flush requests as normal.
 ### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
 
 See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)
+
+### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)
+
+See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)
 ## Upgrading
 
  * If you have created your own composite database fields, then you should amend the setValue() to allow the passing of