tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/3.5.8' into 3.6.6

Browse Source
This commit is contained in:
Robbie Averill 2018-05-10 15:52:23 +12:00
commit 8b750b3d80
4 changed files with 75 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/en/04_Changelogs/3.5.8.md Normal file
View File

@ -0,0 +1,9 @@
# 3.5.8
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2018-04-11 [577138882]() Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See [ss-2018-001](http://www.silverstripe.org/download/security-releases/ss-2018-001)

9
docs/en/04_Changelogs/rc/3.5.8-rc1.md Normal file
View File

@ -0,0 +1,9 @@
# 3.5.8-rc1
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2018-04-11 [577138882]() Restrict non-admins from being assigned to admin groups (Damian Mooyman) - See [ss-2018-001](http://www.silverstripe.org/download/security-releases/ss-2018-001)

39
security/Member.php
View File

@ -1050,15 +1050,24 @@ class Member extends DataObject implements TemplateGlobalProvider {
* @return boolean True if the change can be accepted * @return boolean True if the change can be accepted
*/ */
public function onChangeGroups($ids) { public function onChangeGroups($ids) {
// Ensure none of these match disallowed list
$disallowedGroupIDs = $this->disallowedGroups();
return count(array_intersect($ids, $disallowedGroupIDs)) == 0;
}
/**
* List of group IDs this user is disallowed from
*
* @return int[] List of group IDs
*/
protected function disallowedGroups() {
// unless the current user is an admin already OR the logged in user is an admin // unless the current user is an admin already OR the logged in user is an admin
if(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) { if (Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
return true; return array();
} }
// If there are no admin groups in this set then it's ok // Non-admins may not belong to admin groups
$adminGroups = Permission::get_groups_by_permission('ADMIN'); return Permission::get_groups_by_permission('ADMIN')->column('ID');
$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
return count(array_intersect($ids, $adminGroupIDs)) == 0;
} }
@ -1473,12 +1482,18 @@ class Member extends DataObject implements TemplateGlobalProvider {
$fields->removeByName('LoggedPasswords'); $fields->removeByName('LoggedPasswords');
if(Permission::check('EDIT_PERMISSIONS')) { if(Permission::check('EDIT_PERMISSIONS')) {
$groupsMap = array(); // Filter allowed groups
foreach(Group::get() as $group) { $groups = Group::get();
// Listboxfield values are escaped, use ASCII char instead of &raquo; $disallowedGroupIDs = $this->disallowedGroups();
$groupsMap[$group->ID] = $group->getBreadcrumbs(' > '); if ($disallowedGroupIDs) {
} $groups = $groups->exclude('ID', $disallowedGroupIDs);
asort($groupsMap); }
$groupsMap = array();
foreach ($groups as $group) {
// Listboxfield values are escaped, use ASCII char instead of &raquo;
$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
}
asort($groupsMap);
$fields->addFieldToTab('Root.Main', $fields->addFieldToTab('Root.Main',
ListboxField::create('DirectGroups', singleton('Group')->i18n_plural_name()) ListboxField::create('DirectGroups', singleton('Group')->i18n_plural_name())
->setMultiple(true) ->setMultiple(true)

30
tests/security/MemberTest.php
View File

@ -665,6 +665,36 @@ class MemberTest extends FunctionalTest {
); );
} }
/**
* Ensure DirectGroups listbox disallows admin-promotion
*/
public function testAllowedGroupsListbox() {
/** @var Group $adminGroup */
$adminGroup = $this->objFromFixture('Group', 'admingroup');
/** @var Member $staffMember */
$staffMember = $this->objFromFixture('Member', 'staffmember');
/** @var Member $adminMember */
$adminMember = $this->objFromFixture('Member', 'admin');
// Ensure you can see the DirectGroups box
$this->logInWithPermission('EDIT_PERMISSIONS');
// Non-admin member field contains non-admin groups
/** @var ListboxField $staffListbox */
$staffListbox = $staffMember->getCMSFields()->dataFieldByName('DirectGroups');
$this->assertArrayNotHasKey($adminGroup->ID, $staffListbox->getSource());
// admin member field contains admin group
/** @var ListboxField $adminListbox */
$adminListbox = $adminMember->getCMSFields()->dataFieldByName('DirectGroups');
$this->assertArrayHasKey($adminGroup->ID, $adminListbox->getSource());
// If logged in as admin, staff listbox has admin group
$this->logInWithPermission('ADMIN');
$staffListbox = $staffMember->getCMSFields()->dataFieldByName('DirectGroups');
$this->assertArrayHasKey($adminGroup->ID, $staffListbox->getSource());
}
/** /**
* Test Member_GroupSet::add * Test Member_GroupSet::add
*/ */