From f7127c90bcee5d61f5503672dd9a713056077de8 Mon Sep 17 00:00:00 2001 From: Andrew O'Neil Date: Wed, 7 Nov 2007 23:46:00 +0000 Subject: [PATCH] #1586 - Object.php contains request parameter 'debugmethods' git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@44487 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- core/Debug.php | 48 +++++++++++++++++++++++++++++++++++++++++++++++- core/Object.php | 3 ++- 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/core/Debug.php b/core/Debug.php index 8660aad55..f17c5131b 100644 --- a/core/Debug.php +++ b/core/Debug.php @@ -272,7 +272,53 @@ class Debug { return $funcName; } + + /** + * Check if the user has permissions to run URL debug tools, + * else redirect them to log in. + */ + static function require_developer_login() { + if(Director::isDev()) { + return; + } + if(isset($_SESSION['loggedInAs'])) { + // We have to do some raw SQL here, because this method is called in Object::defineMethods(). + // This means we have to be careful about what objects we create, as we don't want Object::defineMethods() + // being called again. + // This basically calls Permission::checkMember($_SESSION['loggedInAs'], 'ADMIN'); + + $memberID = $_SESSION['loggedInAs']; + + $groups = DB::query("SELECT GroupID from Group_Members WHERE MemberID=" . $memberID); + $groupCSV = implode($groups->column(), ','); + + $permission = DB::query(" + SELECT ID + FROM Permission + WHERE ( + Code = 'ADMIN' + AND Type = " . Permission::GRANT_PERMISSION . " + AND GroupID IN ($groupCSV) + ) + ")->value(); + + if($permission) { + return; + } + } + + // This basically does the same as + // Security::permissionFailure(null, "You need to login with developer access to make use of debugging tools."); + // We have to do this because of how early this method is called in execution. + $_SESSION['Security']['Message']['message'] = "You need to login with developer access to make use of debugging tools."; + $_SESSION['Security']['Message']['type'] = 'warning'; + $_SESSION['BackURL'] = $_SERVER['REQUEST_URI']; + header("HTTP/1.1 302 Found"); + header("Location: " . Director::baseURL() . "Security/login"); + die(); + } } + function errorHandler($errno, $errstr, $errfile, $errline, $errcontext) { switch($errno) { case E_ERROR: @@ -288,4 +334,4 @@ function errorHandler($errno, $errstr, $errfile, $errline, $errcontext) { break; } } -?> \ No newline at end of file +?> diff --git a/core/Object.php b/core/Object.php index 49fecbd2d..15f719838 100755 --- a/core/Object.php +++ b/core/Object.php @@ -267,6 +267,7 @@ class Object { } if(isset($_REQUEST['debugmethods']) && isset(Object::$builtInMethods[$this->class])) { + Debug::require_developer_login(); echo "

Methods defined for $this->class

"; foreach(Object::$builtInMethods[$this->class] as $name => $info) { echo "
  • $name"; @@ -424,4 +425,4 @@ class Object { * // ENFORCE STRONG_CREATE */ Object::useCustomClass('Datetime','SSDatetime',true); -?> \ No newline at end of file +?>