mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge pull request #11113 from creative-commoners/pulls/4.13/cve-2023-48714
[CVE-2023-48714] Don't show or add records the member isn't allowed to
This commit is contained in:
commit
6fe377e69d
@ -16,6 +16,7 @@ use SilverStripe\ORM\Filters\SearchFilter;
|
||||
use SilverStripe\View\ArrayData;
|
||||
use SilverStripe\View\SSViewer;
|
||||
use LogicException;
|
||||
use SilverStripe\Control\HTTPResponse_Exception;
|
||||
|
||||
/**
|
||||
* This class is is responsible for adding objects to another object's has_many
|
||||
@ -195,11 +196,14 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
|
||||
if (empty($objectID)) {
|
||||
return $dataList;
|
||||
}
|
||||
$gridField->State->GridFieldAddRelation = null;
|
||||
$object = DataObject::get_by_id($gridField->getModelClass(), $objectID);
|
||||
if ($object) {
|
||||
if (!$object->canView()) {
|
||||
throw new HTTPResponse_Exception(null, 403);
|
||||
}
|
||||
$dataList->add($object);
|
||||
}
|
||||
$gridField->State->GridFieldAddRelation = null;
|
||||
return $dataList;
|
||||
}
|
||||
|
||||
@ -265,6 +269,9 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
|
||||
SSViewer::config()->set('source_file_comments', false);
|
||||
$viewer = SSViewer::fromString($this->resultsFormat);
|
||||
foreach ($results as $result) {
|
||||
if (!$result->canView()) {
|
||||
continue;
|
||||
}
|
||||
$title = Convert::html2raw($viewer->process($result));
|
||||
$json[] = [
|
||||
'label' => $title,
|
||||
|
Loading…
Reference in New Issue
Block a user