FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)

See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
This commit is contained in:
Ingo Schommer 2013-08-30 16:24:24 +02:00
parent ec8e8261f2
commit a914dee6d9

View File

@ -194,6 +194,11 @@ class PermissionCheckboxSetField extends FormField {
$inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')'; $inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')';
} }
// Disallow modification of "privileged" permissions unless currently logged-in user is an admin
if(!Permission::check('ADMIN') && in_array($code, Permission::$privileged_permissions)) {
$disabled = ' disabled="true"';
}
// If the field is readonly, always mark as "disabled" // If the field is readonly, always mark as "disabled"
if($this->readonly) $disabled = ' disabled="true"'; if($this->readonly) $disabled = ' disabled="true"';
@ -218,6 +223,16 @@ class PermissionCheckboxSetField extends FormField {
$fieldname = $this->name; $fieldname = $this->name;
$managedClass = $this->managedClass; $managedClass = $this->managedClass;
// Remove all "privileged" permissions if the currently logged-in user is not an admin
if(!Permission::check('ADMIN')) {
foreach($this->value as $id => $bool) {
if(in_array($id, Permission::$privileged_permissions)) {
unset($this->value[$id]);
}
}
}
// remove all permissions and re-add them afterwards // remove all permissions and re-add them afterwards
$permissions = $record->$fieldname(); $permissions = $record->$fieldname();
foreach ( $permissions as $permission ) { foreach ( $permissions as $permission ) {