tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)

Browse Source 
See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/
This commit is contained in:
Ingo Schommer 2013-08-30 16:27:58 +02:00
parent 8b5c8eab72
commit f803704d91
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
security/PermissionCheckboxSetField.php
View File

@ -161,6 +161,8 @@ class PermissionCheckboxSetField extends FormField {
$odd = 0; $odd = 0;
$options = ''; $options = '';
if($this->source) { if($this->source) {
$privilegedPermissions = Permission::config()->privileged_permissions;
// loop through all available categorized permissions and see if they're assigned for the given groups // loop through all available categorized permissions and see if they're assigned for the given groups
foreach($this->source as $categoryName => $permissions) { foreach($this->source as $categoryName => $permissions) {
$options .= "<li><h5>$categoryName</h5></li>"; $options .= "<li><h5>$categoryName</h5></li>";
@ -193,6 +195,11 @@ class PermissionCheckboxSetField extends FormField {
$inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')'; $inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')';
} }
// Disallow modification of "privileged" permissions unless currently logged-in user is an admin
if(!Permission::check('ADMIN') && in_array($code, $privilegedPermissions)) {
$disabled = ' disabled="true"';
}
// If the field is readonly, always mark as "disabled" // If the field is readonly, always mark as "disabled"
if($this->readonly) $disabled = ' disabled="true"'; if($this->readonly) $disabled = ' disabled="true"';
@ -245,6 +252,16 @@ class PermissionCheckboxSetField extends FormField {
$fieldname = $this->name; $fieldname = $this->name;
$managedClass = $this->managedClass; $managedClass = $this->managedClass;
// Remove all "privileged" permissions if the currently logged-in user is not an admin
$privilegedPermissions = Permission::config()->privileged_permissions;
if(!Permission::check('ADMIN')) {
foreach($this->value as $id => $bool) {
if(in_array($id, $privilegedPermissions)) {
unset($this->value[$id]);
}
}
}
// remove all permissions and re-add them afterwards // remove all permissions and re-add them afterwards
$permissions = $record->$fieldname(); $permissions = $record->$fieldname();
foreach ( $permissions as $permission ) { foreach ( $permissions as $permission ) {