tonyair/silverstripe-reports
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-reports synced 2024-10-03 06:38:57 +02:00
Code Issues Projects Releases Wiki Activity

BUGFIX Only enforcing record-level permissions in LeftAndMain if passed ID is numeric to avoid breaking AssetAdmin with string-based IDs (regression from r65152). See #3017

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/trunk@65213 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2008-11-04 13:53:11 +00:00
parent b6ae79afce
commit bcfa95887f
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
code/LeftAndMain.php
View File

@ -282,7 +282,7 @@ class LeftAndMain extends Controller {
$this->setCurrentPageID($_REQUEST['ID']); $this->setCurrentPageID($_REQUEST['ID']);
SSViewer::setOption('rewriteHashlinks', false); SSViewer::setOption('rewriteHashlinks', false);
if(isset($_REQUEST['ID'])) { if(isset($_REQUEST['ID']) && is_numeric($_REQUEST['ID'])) {
$record = DataObject::get_by_id($this->stat('tree_class'), $_REQUEST['ID']); $record = DataObject::get_by_id($this->stat('tree_class'), $_REQUEST['ID']);
if($record && !$record->canView()) return Security::permissionFailure($this); if($record && !$record->canView()) return Security::permissionFailure($this);
} }
@ -768,9 +768,11 @@ JS;
$id = isset($_REQUEST['ID']) ? $_REQUEST['ID'] : $this->currentPageID(); $id = isset($_REQUEST['ID']) ? $_REQUEST['ID'] : $this->currentPageID();
if(!$id) return false; if(!$id) return false;
$record = DataObject::get_by_id($this->stat('tree_class'), $id); if(is_numeric($id)) {
if($record && !$record->canView()) return Security::permissionFailure($this); $record = DataObject::get_by_id($this->stat('tree_class'), $id);
if($record && !$record->canView()) return Security::permissionFailure($this);
}
return $this->getEditForm($id); return $this->getEditForm($id);
} }