From 36241d52a08ebce841f50fff91f3e4f4ac591be4 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Fri, 18 Dec 2015 11:41:34 +1300
Subject: [PATCH] BUG Fix regressions is SS_Report::canView

---
 code/Report.php      | 25 ++++++++++++++++++++++++-
 tests/ReportTest.php | 20 ++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/code/Report.php b/code/Report.php
index 2248fb2a..071e1cc6 100644
--- a/code/Report.php
+++ b/code/Report.php
@@ -310,7 +310,9 @@ class SS_Report extends ViewableData {
 		}
 
 		$extended = $this->extendedCan('canView', $member);
-		if($extended !== null) return $extended;
+		if($extended !== null) {
+			return $extended;
+		}
 
 		if($member && Permission::checkMember($member, array('CMS_ACCESS_LeftAndMain', 'CMS_ACCESS_ReportAdmin'))) {
 			return true;
@@ -318,6 +320,27 @@ class SS_Report extends ViewableData {
 
 		return false;
 	}
+
+	/**
+	 * Helper to assist with permission extension
+	 *
+	 * {@see DataObject::extendedCan()}
+	 *
+	 * @param string $methodName Method on the same object, e.g. {@link canEdit()}
+	 * @param Member|int $member
+	 * @return boolean|null
+	 */
+	public function extendedCan($methodName, $member) {
+		$results = $this->extend($methodName, $member);
+		if($results && is_array($results)) {
+			// Remove NULLs
+			$results = array_filter($results, function($v) {return !is_null($v);});
+			// If there are any non-NULL responses, then return the lowest one of them.
+			// If any explicitly deny the permission, then we don't get access
+			if($results) return min($results);
+		}
+		return null;
+	}
 	
 
 	/**
diff --git a/tests/ReportTest.php b/tests/ReportTest.php
index dada8a4d..2df30585 100644
--- a/tests/ReportTest.php
+++ b/tests/ReportTest.php
@@ -56,6 +56,26 @@ class ReportTest extends SapphireTest {
 			$reportNames,
 			'ReportTest_FakeTest_Abstract is NOT in reports list as it is abstract');
 	}
+
+	public function testPermissions() {
+		$report = new ReportTest_FakeTest2();
+
+		// Visitor cannot view
+		Session::clear("loggedInAs");
+		$this->assertFalse($report->canView());
+
+		// Logged in user that cannot view reports
+		$this->logInWithPermission('SITETREE_REORGANISE');
+		$this->assertFalse($report->canView());
+
+		// Logged in with report permissions
+		$this->logInWithPermission('CMS_ACCESS_ReportAdmin');
+		$this->assertTrue($report->canView());
+
+		// Admin can view
+		$this->logInWithPermission('ADMIN');
+		$this->assertTrue($report->canView());
+	}
 }
 
 /**