mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-02 14:18:46 +02:00
API File->canEdit() returns TRUE by default (not checking CMS perms)
This is a measure to support form fields and controllers interacting with files in different contexts, for example an UploadField used in a ModelAdmin, or a website frontend. The check for 'CMS_ACCESS_AssetAdmin' was too restricting. This wasn't a problem in 2.x simply because the old FileField/Upload classes didn't respect File->can*() permissions.
This commit is contained in:
parent
7023669754
commit
a3295e2a37
@ -10,3 +10,4 @@
|
|||||||
`debug_profile`, `debug_memory`, `profile_trace`, `debug_javascript`, `debug_behaviour`
|
`debug_profile`, `debug_memory`, `profile_trace`, `debug_javascript`, `debug_behaviour`
|
||||||
* Removed `Member_ProfileForm`, use `CMSProfileController` instead
|
* Removed `Member_ProfileForm`, use `CMSProfileController` instead
|
||||||
* `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`.
|
* `SiteTree::$nested_urls` enabled by default. To disable, call `SiteTree::disable_nested_urls()`.
|
||||||
|
* Removed CMS permission checks from `File->canEdit()` and `File->canDelete()`. If you have unsecured controllers relying on these permissions, please override them through a `DataExtension`.
|
@ -293,7 +293,7 @@ class File extends DataObject {
|
|||||||
$result = $this->extendedCan('canEdit', $member);
|
$result = $this->extendedCan('canEdit', $member);
|
||||||
if($result !== null) return $result;
|
if($result !== null) return $result;
|
||||||
|
|
||||||
return Permission::checkMember($member, 'CMS_ACCESS_AssetAdmin');
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
Loading…
Reference in New Issue
Block a user