[CVE-2023-22728] Check canView before printing from GridField

This commit is contained in:
Guy Sartorelli 2023-02-14 12:52:39 +13:00
parent 92061a3ba6
commit fd5d8217e8
No known key found for this signature in database
GPG Key ID: F313E3B9504D496A
3 changed files with 34 additions and 13 deletions

View File

@ -228,6 +228,7 @@ class GridFieldPrintButton extends AbstractGridFieldComponent implements GridFie
/** @var DataObject $item */
foreach ($items->limit(null) as $item) {
if (!$item->hasMethod('canView') || $item->canView()) {
$itemRow = new ArrayList();
foreach ($printColumns as $field => $label) {
@ -243,6 +244,7 @@ class GridFieldPrintButton extends AbstractGridFieldComponent implements GridFie
$itemRows->push(new ArrayData([
"ItemRow" => $itemRow
]));
}
if ($item->hasMethod('destroy')) {
$item->destroy();
}

View File

@ -32,6 +32,19 @@ class GridFieldPrintButtonTest extends SapphireTest
}
public function testLimit()
{
$this->assertEquals(42, $this->getTestableRows()->count());
}
public function testCanViewIsRespected()
{
$orig = TestObject::$canView;
TestObject::$canView = false;
$this->assertEquals(0, $this->getTestableRows()->count());
TestObject::$canView = $orig;
}
private function getTestableRows()
{
$list = TestObject::get();
@ -48,7 +61,6 @@ class GridFieldPrintButtonTest extends SapphireTest
// Printed data should ignore pagination limit
$printData = $button->generatePrintData($gridField);
$rows = $printData->ItemRows;
$this->assertEquals(42, $rows->count());
return $printData->ItemRows;
}
}

View File

@ -12,4 +12,11 @@ class TestObject extends DataObject implements TestOnly
private static $db = [
'Name' => 'Varchar'
];
public static bool $canView = true;
public function canView($member = null)
{
return static::$canView;
}
}