From cff2ea9a98f592d80083633aef6bd082480281d9 Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 14 Jul 2016 16:57:16 +0100 Subject: [PATCH 1/2] [SS-2016-012] FIX Missing ACL check on ReportAdmin This issue exposed reports to users able to guess the URL of a Report that they were not allowed to view the report --- code/ReportAdmin.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/code/ReportAdmin.php b/code/ReportAdmin.php index f1e35fa1..7e8678e4 100644 --- a/code/ReportAdmin.php +++ b/code/ReportAdmin.php @@ -34,10 +34,12 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { */ protected $reportClass; + /** + * @var SS_Report + */ protected $reportObject; public function init() { - parent::init(); //set the report we are currently viewing from the URL $this->reportClass = (isset($this->urlParams['ReportClass']) && $this->urlParams['ReportClass'] !== 'index') @@ -46,6 +48,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { $allReports = SS_Report::get_reports(); $this->reportObject = (isset($allReports[$this->reportClass])) ? $allReports[$this->reportClass] : null; + parent::init(); + // Set custom options for TinyMCE specific to ReportAdmin HtmlEditorConfig::get('cms')->setOption('content_css', project() . '/css/editor.css'); HtmlEditorConfig::get('cms')->setOption('Lang', i18n::get_tinymce_lang()); @@ -69,7 +73,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { if(!parent::canView($member)) return false; - $hasViewableSubclasses = false; + if ($this->reportObject) return $this->reportObject->canView($member); + foreach($this->Reports() as $report) { if($report->canView($member)) return true; } From efa20d2da03f80758cce7fe697c62f7f42fe098a Mon Sep 17 00:00:00 2001 From: Daniel Hensby Date: Thu, 14 Jul 2016 16:57:16 +0100 Subject: [PATCH 2/2] [SS-2016-012] FIX Missing ACL check on ReportAdmin This issue exposed reports to users able to guess the URL of a Report that they were not allowed to view the report --- code/ReportAdmin.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/code/ReportAdmin.php b/code/ReportAdmin.php index f1e35fa1..7e8678e4 100644 --- a/code/ReportAdmin.php +++ b/code/ReportAdmin.php @@ -34,10 +34,12 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { */ protected $reportClass; + /** + * @var SS_Report + */ protected $reportObject; public function init() { - parent::init(); //set the report we are currently viewing from the URL $this->reportClass = (isset($this->urlParams['ReportClass']) && $this->urlParams['ReportClass'] !== 'index') @@ -46,6 +48,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { $allReports = SS_Report::get_reports(); $this->reportObject = (isset($allReports[$this->reportClass])) ? $allReports[$this->reportClass] : null; + parent::init(); + // Set custom options for TinyMCE specific to ReportAdmin HtmlEditorConfig::get('cms')->setOption('content_css', project() . '/css/editor.css'); HtmlEditorConfig::get('cms')->setOption('Lang', i18n::get_tinymce_lang()); @@ -69,7 +73,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider { if(!parent::canView($member)) return false; - $hasViewableSubclasses = false; + if ($this->reportObject) return $this->reportObject->canView($member); + foreach($this->Reports() as $report) { if($report->canView($member)) return true; }