From 873b721b6b999c5ac189326cf9e1893a4df7d1f8 Mon Sep 17 00:00:00 2001
From: Guy Sartorelli <guy.sartorelli@silverstripe.com>
Date: Wed, 29 Nov 2023 16:33:42 +1300
Subject: [PATCH] [CVE-2023-48714] Don't show or add records the member isn't
 allowed to see

---
 .../GridField/GridFieldAddExistingAutocompleter.php      | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/Forms/GridField/GridFieldAddExistingAutocompleter.php b/src/Forms/GridField/GridFieldAddExistingAutocompleter.php
index ff6176d92..cebb1e2c4 100644
--- a/src/Forms/GridField/GridFieldAddExistingAutocompleter.php
+++ b/src/Forms/GridField/GridFieldAddExistingAutocompleter.php
@@ -16,6 +16,7 @@ use SilverStripe\ORM\Filters\SearchFilter;
 use SilverStripe\View\ArrayData;
 use SilverStripe\View\SSViewer;
 use LogicException;
+use SilverStripe\Control\HTTPResponse_Exception;
 
 /**
  * This class is is responsible for adding objects to another object's has_many
@@ -195,11 +196,14 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
         if (empty($objectID)) {
             return $dataList;
         }
+        $gridField->State->GridFieldAddRelation = null;
         $object = DataObject::get_by_id($gridField->getModelClass(), $objectID);
         if ($object) {
+            if (!$object->canView()) {
+                throw new HTTPResponse_Exception(null, 403);
+            }
             $dataList->add($object);
         }
-        $gridField->State->GridFieldAddRelation = null;
         return $dataList;
     }
 
@@ -265,6 +269,9 @@ class GridFieldAddExistingAutocompleter extends AbstractGridFieldComponent imple
         SSViewer::config()->set('source_file_comments', false);
         $viewer = SSViewer::fromString($this->resultsFormat);
         foreach ($results as $result) {
+            if (!$result->canView()) {
+                continue;
+            }
             $title = Convert::html2raw($viewer->process($result));
             $json[] = [
                 'label' => $title,