From fc03a8608af72fa52a518b41659c0d3e29109ce0 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Thu, 10 Sep 2009 01:37:44 +0000 Subject: [PATCH] API CHANGE Don't exempt 'index' controller actions from $allowed_actions check - they might still contain sensitive information (for example ImageEditor). This action has to explicitly allowed on controllers with $allowed_actions defined now. git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86002 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- core/control/RequestHandler.php | 2 -- core/model/DatabaseAdmin.php | 1 + tests/ControllerTest.php | 5 +++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/core/control/RequestHandler.php b/core/control/RequestHandler.php index 74cf77663..39b3083c6 100644 --- a/core/control/RequestHandler.php +++ b/core/control/RequestHandler.php @@ -192,8 +192,6 @@ class RequestHandler extends ViewableData { } } - if($action == 'index') return true; - if($allowedActions) { // convert all keys and values to lowercase for easier comparison (only if not set as boolean) foreach($allowedActions as $key => $value) { diff --git a/core/model/DatabaseAdmin.php b/core/model/DatabaseAdmin.php index a3ccc3e74..b5deec239 100644 --- a/core/model/DatabaseAdmin.php +++ b/core/model/DatabaseAdmin.php @@ -14,6 +14,7 @@ class DatabaseAdmin extends Controller { /// SECURITY /// static $allowed_actions = array( + 'index', 'build', 'cleanup', 'testinstall', diff --git a/tests/ControllerTest.php b/tests/ControllerTest.php index ecb4b57d4..7102eb220 100644 --- a/tests/ControllerTest.php +++ b/tests/ControllerTest.php @@ -41,6 +41,11 @@ class ControllerTest extends SapphireTest { "test that a controller without a specified allowed_actions allows actions through" ); + $response = Director::test("ControllerTest_FullSecuredController/index"); + $this->assertEquals(403, $response->getStatusCode(), + "Actions can be globally disallowed by using asterisk (*) for index method" + ); + $response = Director::test("ControllerTest_FullSecuredController/adminonly"); $this->assertEquals(403, $response->getStatusCode(), "Actions can be globally disallowed by using asterisk (*) instead of a method name"