API CHANGE Don't exempt 'index' controller actions from $allowed_actions check - they might still contain sensitive information (for example ImageEditor). This action has to explicitly allowed on controllers with $allowed_actions defined now.

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86002 467b73ca-7a2a-4603-9d3b-597d59a354a9

core/control/RequestHandler.php

@@ -192,8 +192,6 @@ class RequestHandler extends ViewableData {
 			}
 		}
 		
-		if($action == 'index') return true;
-		
 		if($allowedActions)  {
 			// convert all keys and values to lowercase for easier comparison (only if not set as boolean)
 			foreach($allowedActions as $key => $value) {

core/model/DatabaseAdmin.php

@@ -14,6 +14,7 @@ class DatabaseAdmin extends Controller {
 
 	/// SECURITY ///
 	static $allowed_actions = array(
+		'index',
 		'build',
 		'cleanup',
 		'testinstall',

tests/ControllerTest.php

@@ -41,6 +41,11 @@ class ControllerTest extends SapphireTest {
 			"test that a controller without a specified allowed_actions allows actions through"
 		);
 		
+		$response = Director::test("ControllerTest_FullSecuredController/index");
+		$this->assertEquals(403, $response->getStatusCode(),
+			"Actions can be globally disallowed by using asterisk (*) for index method"
+		);
+		
 		$response = Director::test("ControllerTest_FullSecuredController/adminonly");
 		$this->assertEquals(403, $response->getStatusCode(),
 			"Actions can be globally disallowed by using asterisk (*) instead of a method name"