mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[CVE-2023-22728] Check canView before printing from GridField
This commit is contained in:
parent
92061a3ba6
commit
fd5d8217e8
@ -228,21 +228,23 @@ class GridFieldPrintButton extends AbstractGridFieldComponent implements GridFie
|
||||
|
||||
/** @var DataObject $item */
|
||||
foreach ($items->limit(null) as $item) {
|
||||
$itemRow = new ArrayList();
|
||||
if (!$item->hasMethod('canView') || $item->canView()) {
|
||||
$itemRow = new ArrayList();
|
||||
|
||||
foreach ($printColumns as $field => $label) {
|
||||
$value = $gridFieldColumnsComponent
|
||||
? strip_tags($gridFieldColumnsComponent->getColumnContent($gridField, $item, $field))
|
||||
: $gridField->getDataFieldValue($item, $field);
|
||||
foreach ($printColumns as $field => $label) {
|
||||
$value = $gridFieldColumnsComponent
|
||||
? strip_tags($gridFieldColumnsComponent->getColumnContent($gridField, $item, $field))
|
||||
: $gridField->getDataFieldValue($item, $field);
|
||||
|
||||
$itemRow->push(new ArrayData([
|
||||
"CellString" => $value,
|
||||
$itemRow->push(new ArrayData([
|
||||
"CellString" => $value,
|
||||
]));
|
||||
}
|
||||
|
||||
$itemRows->push(new ArrayData([
|
||||
"ItemRow" => $itemRow
|
||||
]));
|
||||
}
|
||||
|
||||
$itemRows->push(new ArrayData([
|
||||
"ItemRow" => $itemRow
|
||||
]));
|
||||
if ($item->hasMethod('destroy')) {
|
||||
$item->destroy();
|
||||
}
|
||||
|
@ -32,6 +32,19 @@ class GridFieldPrintButtonTest extends SapphireTest
|
||||
}
|
||||
|
||||
public function testLimit()
|
||||
{
|
||||
$this->assertEquals(42, $this->getTestableRows()->count());
|
||||
}
|
||||
|
||||
public function testCanViewIsRespected()
|
||||
{
|
||||
$orig = TestObject::$canView;
|
||||
TestObject::$canView = false;
|
||||
$this->assertEquals(0, $this->getTestableRows()->count());
|
||||
TestObject::$canView = $orig;
|
||||
}
|
||||
|
||||
private function getTestableRows()
|
||||
{
|
||||
$list = TestObject::get();
|
||||
|
||||
@ -48,7 +61,6 @@ class GridFieldPrintButtonTest extends SapphireTest
|
||||
|
||||
// Printed data should ignore pagination limit
|
||||
$printData = $button->generatePrintData($gridField);
|
||||
$rows = $printData->ItemRows;
|
||||
$this->assertEquals(42, $rows->count());
|
||||
return $printData->ItemRows;
|
||||
}
|
||||
}
|
||||
|
@ -12,4 +12,11 @@ class TestObject extends DataObject implements TestOnly
|
||||
private static $db = [
|
||||
'Name' => 'Varchar'
|
||||
];
|
||||
|
||||
public static bool $canView = true;
|
||||
|
||||
public function canView($member = null)
|
||||
{
|
||||
return static::$canView;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user