FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)

See http://www.silverstripe.org/ss-2013-005-privilege-escalation-through-apply-roles-assignment/

security/PermissionCheckboxSetField.php

@@ -161,6 +161,8 @@ class PermissionCheckboxSetField extends FormField {
 		$odd = 0;
 		$options = '';
 		if($this->source) {
+			$privilegedPermissions = Permission::config()->privileged_permissions;
+
 			// loop through all available categorized permissions and see if they're assigned for the given groups
 			foreach($this->source as $categoryName => $permissions) {
 				$options .= "<li><h5>$categoryName</h5></li>";
@@ -193,6 +195,11 @@ class PermissionCheckboxSetField extends FormField {
 						$inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')';
 					}
 
+					// Disallow modification of "privileged" permissions unless currently logged-in user is an admin
+					if(!Permission::check('ADMIN') && in_array($code, $privilegedPermissions)) {
+						$disabled = ' disabled="true"';
+					}
+
 					// If the field is readonly, always mark as "disabled"
 					if($this->readonly) $disabled = ' disabled="true"';
 					
@@ -245,6 +252,16 @@ class PermissionCheckboxSetField extends FormField {
 		$fieldname = $this->name;
 		$managedClass = $this->managedClass;
 
+		// Remove all "privileged" permissions if the currently logged-in user is not an admin
+		$privilegedPermissions = Permission::config()->privileged_permissions;
+		if(!Permission::check('ADMIN')) {
+			foreach($this->value as $id => $bool) {
+				if(in_array($id, $privilegedPermissions)) {
+					unset($this->value[$id]);
+				}
+			}	
+		}
+
 		// remove all permissions and re-add them afterwards
 		$permissions = $record->$fieldname();
 		foreach ( $permissions as $permission ) {