BUG Fix regressions is SS_Report::canView

code/Report.php

@@ -310,7 +310,9 @@ class SS_Report extends ViewableData {
 		}
 
 		$extended = $this->extendedCan('canView', $member);
-		if($extended !== null) return $extended;
+		if($extended !== null) {
+			return $extended;
+		}
 
 		if($member && Permission::checkMember($member, array('CMS_ACCESS_LeftAndMain', 'CMS_ACCESS_ReportAdmin'))) {
 			return true;
@@ -318,6 +320,27 @@ class SS_Report extends ViewableData {
 
 		return false;
 	}
+
+	/**
+	 * Helper to assist with permission extension
+	 *
+	 * {@see DataObject::extendedCan()}
+	 *
+	 * @param string $methodName Method on the same object, e.g. {@link canEdit()}
+	 * @param Member|int $member
+	 * @return boolean|null
+	 */
+	public function extendedCan($methodName, $member) {
+		$results = $this->extend($methodName, $member);
+		if($results && is_array($results)) {
+			// Remove NULLs
+			$results = array_filter($results, function($v) {return !is_null($v);});
+			// If there are any non-NULL responses, then return the lowest one of them.
+			// If any explicitly deny the permission, then we don't get access
+			if($results) return min($results);
+		}
+		return null;
+	}
 	
 
 	/**

tests/ReportTest.php

@@ -56,6 +56,26 @@ class ReportTest extends SapphireTest {
 			$reportNames,
 			'ReportTest_FakeTest_Abstract is NOT in reports list as it is abstract');
 	}
+
+	public function testPermissions() {
+		$report = new ReportTest_FakeTest2();
+
+		// Visitor cannot view
+		Session::clear("loggedInAs");
+		$this->assertFalse($report->canView());
+
+		// Logged in user that cannot view reports
+		$this->logInWithPermission('SITETREE_REORGANISE');
+		$this->assertFalse($report->canView());
+
+		// Logged in with report permissions
+		$this->logInWithPermission('CMS_ACCESS_ReportAdmin');
+		$this->assertTrue($report->canView());
+
+		// Admin can view
+		$this->logInWithPermission('ADMIN');
+		$this->assertTrue($report->canView());
+	}
 }
 
 /**