tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

[CVE-2023-48714] Don't show or add records the member isn't allowed to

Browse Source 
see
This commit is contained in:
Guy Sartorelli 2023-11-29 16:33:42 +13:00
parent b979ce5896
commit 873b721b6b
No known key found for this signature in database
GPG Key ID: F313E3B9504D496A
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/Forms/GridField/GridFieldAddExistingAutocompleter.php
View File

@ -16,6 +16,7 @@ use SilverStripe\ORM\Filters\SearchFilter;
use SilverStripe\View\ArrayData;
use SilverStripe\View\SSViewer;
use LogicException;
use SilverStripe\Control\HTTPResponse_Exception;
/**
* This class is is responsible for adding objects to another object's has_many
@ -195,11 +196,14 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
if (empty($objectID)) {
return $dataList;
}
$gridField->State->GridFieldAddRelation = null;
$object = DataObject::get_by_id($gridField->getModelClass(), $objectID);
if ($object) {
if (!$object->canView()) {
throw new HTTPResponse_Exception(null, 403);
}
$dataList->add($object);
}
$gridField->State->GridFieldAddRelation = null;
return $dataList;
}
@ -265,6 +269,9 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
SSViewer::config()->set('source_file_comments', false);
$viewer = SSViewer::fromString($this->resultsFormat);
foreach ($results as $result) {
if (!$result->canView()) {
continue;
}
$title = Convert::html2raw($viewer->process($result));
$json[] = [
'label' => $title,