tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11113 from creative-commoners/pulls/4.13/cve-2023-48714

Browse Source 
[CVE-2023-48714] Don't show or add records the member isn't allowed to
This commit is contained in:
Sabina Talipova 2024-01-23 11:46:28 +13:00 committed by GitHub
commit 6fe377e69d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/Forms/GridField/GridFieldAddExistingAutocompleter.php
View File

@ -16,6 +16,7 @@ use SilverStripe\ORM\Filters\SearchFilter;
use SilverStripe\View\ArrayData; use SilverStripe\View\ArrayData;
use SilverStripe\View\SSViewer; use SilverStripe\View\SSViewer;
use LogicException; use LogicException;
use SilverStripe\Control\HTTPResponse_Exception;
/** /**
* This class is is responsible for adding objects to another object's has_many * This class is is responsible for adding objects to another object's has_many
@ -195,11 +196,14 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
if (empty($objectID)) { if (empty($objectID)) {
return $dataList; return $dataList;
} }
$gridField->State->GridFieldAddRelation = null;
$object = DataObject::get_by_id($gridField->getModelClass(), $objectID); $object = DataObject::get_by_id($gridField->getModelClass(), $objectID);
if ($object) { if ($object) {
if (!$object->canView()) {
throw new HTTPResponse_Exception(null, 403);
}
$dataList->add($object); $dataList->add($object);
} }
$gridField->State->GridFieldAddRelation = null;
return $dataList; return $dataList;
} }
@ -265,6 +269,9 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
SSViewer::config()->set('source_file_comments', false); SSViewer::config()->set('source_file_comments', false);
$viewer = SSViewer::fromString($this->resultsFormat); $viewer = SSViewer::fromString($this->resultsFormat);
foreach ($results as $result) { foreach ($results as $result) {
if (!$result->canView()) {
continue;
}
$title = Convert::html2raw($viewer->process($result)); $title = Convert::html2raw($viewer->process($result));
$json[] = [ $json[] = [
'label' => $title, 'label' => $title,