Merge pull request #11113 from creative-commoners/pulls/4.13/cve-2023-48714

[CVE-2023-48714] Don't show or add records the member isn't allowed to
This commit is contained in:
Sabina Talipova 2024-01-23 11:46:28 +13:00 committed by GitHub
commit 6fe377e69d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -16,6 +16,7 @@ use SilverStripe\ORM\Filters\SearchFilter;
use SilverStripe\View\ArrayData;
use SilverStripe\View\SSViewer;
use LogicException;
use SilverStripe\Control\HTTPResponse_Exception;
/**
* This class is is responsible for adding objects to another object's has_many
@ -195,11 +196,14 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
if (empty($objectID)) {
return $dataList;
}
$gridField->State->GridFieldAddRelation = null;
$object = DataObject::get_by_id($gridField->getModelClass(), $objectID);
if ($object) {
if (!$object->canView()) {
throw new HTTPResponse_Exception(null, 403);
}
$dataList->add($object);
}
$gridField->State->GridFieldAddRelation = null;
return $dataList;
}
@ -265,6 +269,9 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
SSViewer::config()->set('source_file_comments', false);
$viewer = SSViewer::fromString($this->resultsFormat);
foreach ($results as $result) {
if (!$result->canView()) {
continue;
}
$title = Convert::html2raw($viewer->process($result));
$json[] = [
'label' => $title,