BUGFIX: Don't allow calling of magically added methods via URL unless explicitly listed in allowed_actions

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@64981 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sam Minnee 2008-10-31 02:16:25 +00:00
parent e9f65ed8e1
commit ba4a1acc68

View File

@ -171,29 +171,35 @@ class RequestHandler extends ViewableData {
if($accessPart !== null) $access = array_merge((array)$access, $accessPart);
}
}
if($access === null || (isset($accessParts[1]) && $accessParts[0] === $accessParts[1])) {
return true;
}
if($action == 'index') return true;
// Make checkAccessAction case-insensitive
$action = strtolower($action);
foreach($access as $k => $v) $newAccess[strtolower($k)] = strtolower($v);
$access = $newAccess;
if($access) {
foreach($access as $k => $v) $newAccess[strtolower($k)] = strtolower($v);
$access = $newAccess;
if(isset($access[$action])) {
$test = $access[$action];
if($test === true) return true;
if(substr($test,0,2) == '->') {
$funcName = substr($test,2);
return $this->$funcName();
if(isset($access[$action])) {
$test = $access[$action];
if($test === true) return true;
if(substr($test,0,2) == '->') {
$funcName = substr($test,2);
return $this->$funcName();
}
if(Permission::check($test)) return true;
} else if((($key = array_search($action, $access)) !== false) && is_numeric($key)) {
return true;
}
if(Permission::check($test)) return true;
} else if((($key = array_search($action, $access)) !== false) && is_numeric($key)) {
return true;
}
if($access === null || (isset($accessParts[1]) && $accessParts[0] === $accessParts[1])) {
// If no allowed_actions are provided, then we should only let through actions that aren't handled by magic methods
// we test this by calling the unmagic method_exists and comparing it to the magic $this->hasMethod(). This will
// still let through actions that are handled by templates.
return method_exists($this, $action) || !$this->hasMethod($action);
}
return false;
}