From 856991d644b51f0dfbf0b9d0f72eb4171b68a6ca Mon Sep 17 00:00:00 2001 From: carlos barberis Date: Thu, 14 Jun 2012 18:45:12 +1200 Subject: [PATCH] BUGFIX: Ticket #6069 Checking of URLSegment can end in an infinite loop (when saving Page in CMS) --- control/RequestHandler.php | 10 +++++----- tests/control/ControllerTest.php | 8 +++++++- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/control/RequestHandler.php b/control/RequestHandler.php index fb4dc307c..27fa5b3d1 100644 --- a/control/RequestHandler.php +++ b/control/RequestHandler.php @@ -244,18 +244,18 @@ class RequestHandler extends ViewableData { $action = strtolower($action); $actions = $this->allowedActions(); - + // Check if the action is defined in the allowed actions as either a // key or value. Note that if the action is numeric, then keys are not // searched for actions to prevent actual array keys being recognised // as actions. if(is_array($actions)) { $isKey = !is_numeric($action) && array_key_exists($action, $actions); - $isValue = in_array($action, $actions); - - if($isKey || $isValue) return true; + $isValue = in_array($action, $actions, true); + $isWildcard = (in_array('*', $actions) && $this->checkAccessAction($action)); + if($isKey || $isValue || $isWildcard) return true; } - + if(!is_array($actions) || !$this->config()->get('allowed_actions', Config::UNINHERITED | Config::EXCLUDE_EXTRA_SOURCES)) { if($action != 'init' && $action != 'run' && method_exists($this, $action)) return true; } diff --git a/tests/control/ControllerTest.php b/tests/control/ControllerTest.php index 0c47f08db..6798c9bb1 100644 --- a/tests/control/ControllerTest.php +++ b/tests/control/ControllerTest.php @@ -57,7 +57,7 @@ class ControllerTest extends FunctionalTest { ); $response = $this->get("ControllerTest_FullSecuredController/adminonly"); - $this->assertEquals(403, $response->getStatusCode(), + $this->assertEquals(404, $response->getStatusCode(), "Actions can be globally disallowed by using asterisk (*) instead of a method name" ); @@ -73,6 +73,12 @@ class ControllerTest extends FunctionalTest { $response->getStatusCode(), "Permission codes are respected when set in \$allowed_actions" ); + + $response = $this->get("ControllerTest_FullSecuredController/adminonly"); + $this->assertEquals(200, $response->getStatusCode(), + "Actions can be globally disallowed by using asterisk (*) instead of a method name" + ); + $this->session()->inst_set('loggedInAs', null); } /**