API CHANGE Don't exempt 'index' controller actions from $allowed_actions check - they might still contain sensitive information (for example ImageEditor). This action has to explicitly allowed on controllers with $allowed_actions defined now.

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86002 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2009-09-10 01:37:44 +00:00
parent 7a27726d00
commit fc03a8608a
3 changed files with 6 additions and 2 deletions

View File

@ -192,8 +192,6 @@ class RequestHandler extends ViewableData {
} }
} }
if($action == 'index') return true;
if($allowedActions) { if($allowedActions) {
// convert all keys and values to lowercase for easier comparison (only if not set as boolean) // convert all keys and values to lowercase for easier comparison (only if not set as boolean)
foreach($allowedActions as $key => $value) { foreach($allowedActions as $key => $value) {

View File

@ -14,6 +14,7 @@ class DatabaseAdmin extends Controller {
/// SECURITY /// /// SECURITY ///
static $allowed_actions = array( static $allowed_actions = array(
'index',
'build', 'build',
'cleanup', 'cleanup',
'testinstall', 'testinstall',

View File

@ -41,6 +41,11 @@ class ControllerTest extends SapphireTest {
"test that a controller without a specified allowed_actions allows actions through" "test that a controller without a specified allowed_actions allows actions through"
); );
$response = Director::test("ControllerTest_FullSecuredController/index");
$this->assertEquals(403, $response->getStatusCode(),
"Actions can be globally disallowed by using asterisk (*) for index method"
);
$response = Director::test("ControllerTest_FullSecuredController/adminonly"); $response = Director::test("ControllerTest_FullSecuredController/adminonly");
$this->assertEquals(403, $response->getStatusCode(), $this->assertEquals(403, $response->getStatusCode(),
"Actions can be globally disallowed by using asterisk (*) instead of a method name" "Actions can be globally disallowed by using asterisk (*) instead of a method name"