tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)

Browse Source 
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
This commit is contained in:
Ingo Schommer 2013-08-30 16:24:24 +02:00
parent ec8e8261f2
commit a914dee6d9
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
security/PermissionCheckboxSetField.php
View File

@ -193,6 +193,11 @@ class PermissionCheckboxSetField extends FormField {
// show its origin automatically
$inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')';
}
// Disallow modification of "privileged" permissions unless currently logged-in user is an admin
if(!Permission::check('ADMIN') && in_array($code, Permission::$privileged_permissions)) {
$disabled = ' disabled="true"';
}
// If the field is readonly, always mark as "disabled"
if($this->readonly) $disabled = ' disabled="true"';
@ -218,6 +223,16 @@ class PermissionCheckboxSetField extends FormField {
$fieldname = $this->name;
$managedClass = $this->managedClass;
// Remove all "privileged" permissions if the currently logged-in user is not an admin
if(!Permission::check('ADMIN')) {
foreach($this->value as $id => $bool) {
if(in_array($id, Permission::$privileged_permissions)) {
unset($this->value[$id]);
}
}
}
// remove all permissions and re-add them afterwards
$permissions = $record->$fieldname();
foreach ( $permissions as $permission ) {