mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
BUGFIX: Don't allow calling of magically added methods via URL unless explicitly listed in allowed_actions
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@64981 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
e9f65ed8e1
commit
ba4a1acc68
@ -171,29 +171,35 @@ class RequestHandler extends ViewableData {
|
||||
if($accessPart !== null) $access = array_merge((array)$access, $accessPart);
|
||||
}
|
||||
}
|
||||
|
||||
if($access === null || (isset($accessParts[1]) && $accessParts[0] === $accessParts[1])) {
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
if($action == 'index') return true;
|
||||
|
||||
// Make checkAccessAction case-insensitive
|
||||
$action = strtolower($action);
|
||||
foreach($access as $k => $v) $newAccess[strtolower($k)] = strtolower($v);
|
||||
$access = $newAccess;
|
||||
if($access) {
|
||||
foreach($access as $k => $v) $newAccess[strtolower($k)] = strtolower($v);
|
||||
$access = $newAccess;
|
||||
|
||||
if(isset($access[$action])) {
|
||||
$test = $access[$action];
|
||||
if($test === true) return true;
|
||||
if(substr($test,0,2) == '->') {
|
||||
$funcName = substr($test,2);
|
||||
return $this->$funcName();
|
||||
if(isset($access[$action])) {
|
||||
$test = $access[$action];
|
||||
if($test === true) return true;
|
||||
if(substr($test,0,2) == '->') {
|
||||
$funcName = substr($test,2);
|
||||
return $this->$funcName();
|
||||
}
|
||||
if(Permission::check($test)) return true;
|
||||
} else if((($key = array_search($action, $access)) !== false) && is_numeric($key)) {
|
||||
return true;
|
||||
}
|
||||
if(Permission::check($test)) return true;
|
||||
} else if((($key = array_search($action, $access)) !== false) && is_numeric($key)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if($access === null || (isset($accessParts[1]) && $accessParts[0] === $accessParts[1])) {
|
||||
// If no allowed_actions are provided, then we should only let through actions that aren't handled by magic methods
|
||||
// we test this by calling the unmagic method_exists and comparing it to the magic $this->hasMethod(). This will
|
||||
// still let through actions that are handled by templates.
|
||||
return method_exists($this, $action) || !$this->hasMethod($action);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user