Merge pull request #979 from ss23/SS2014005-3-1

FIX Do now allow arbitary class creation in CMS
This commit is contained in:
Damian Mooyman 2014-03-27 12:55:40 +13:00
commit ab78198946
2 changed files with 31 additions and 1 deletions

View File

@ -871,8 +871,17 @@ class CMSMain extends LeftAndMain implements CurrentPageIdentifier, PermissionPr
* @uses LeftAndMainExtension->augmentNewSiteTreeItem() * @uses LeftAndMainExtension->augmentNewSiteTreeItem()
*/ */
public function getNewItem($id, $setID = true) { public function getNewItem($id, $setID = true) {
$parentClass = $this->stat('tree_class');
list($dummy, $className, $parentID, $suffix) = array_pad(explode('-',$id),4,null); list($dummy, $className, $parentID, $suffix) = array_pad(explode('-',$id),4,null);
if(!is_subclass_of($className, $parentClass) && strcasecmp($className, $parentClass) != 0) {
$response = Security::permissionFailure($this);
if (!$response) {
$response = $this->response;
}
throw new SS_HTTPResponse_Exception($response);
}
$newItem = new $className(); $newItem = new $className();
if( !$suffix ) { if( !$suffix ) {

View File

@ -328,6 +328,27 @@ class CMSMainTest extends FunctionalTest {
$this->session()->inst_set('loggedInAs', null); $this->session()->inst_set('loggedInAs', null);
} }
public function testGetNewItem() {
$controller = new CMSMain();
$id = 'new-Page-0';
// Test success
$page = $controller->getNewItem($id, false);
$this->assertEquals($page->Title, 'New Page');
$this->assertNotEquals($page->Sort, 0);
$this->assertInstanceOf('Page', $page);
// Test failure
try {
$id = 'new-Member-0';
$member = $controller->getNewItem($id, false);
$this->fail('Should not be able to create a Member object');
} catch(SS_HTTPResponse_Exception $e) {
$this->assertEquals($controller->getResponse()->getStatusCode(), 302);
}
}
} }
class CMSMainTest_ClassA extends Page implements TestOnly { class CMSMainTest_ClassA extends Page implements TestOnly {