[SS-2016-012] FIX Missing ACL check on ReportAdmin

This issue exposed reports to users able to guess the URL of a Report that they were not allowed to view the report
This commit is contained in:
Daniel Hensby 2016-07-14 16:57:16 +01:00
parent 7eb6b21494
commit ca526b08c3
No known key found for this signature in database
GPG Key ID: B00D1E9767F0B06E

View File

@ -34,10 +34,12 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
*/
protected $reportClass;
/**
* @var SS_Report
*/
protected $reportObject;
public function init() {
parent::init();
//set the report we are currently viewing from the URL
$this->reportClass = (isset($this->urlParams['ReportClass']) && $this->urlParams['ReportClass'] !== 'index')
@ -46,6 +48,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
$allReports = SS_Report::get_reports();
$this->reportObject = (isset($allReports[$this->reportClass])) ? $allReports[$this->reportClass] : null;
parent::init();
// Set custom options for TinyMCE specific to ReportAdmin
HtmlEditorConfig::get('cms')->setOption('content_css', project() . '/css/editor.css');
HtmlEditorConfig::get('cms')->setOption('Lang', i18n::get_tinymce_lang());
@ -69,7 +73,8 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
if(!parent::canView($member)) return false;
$hasViewableSubclasses = false;
if ($this->reportObject) return $this->reportObject->canView($member);
foreach($this->Reports() as $report) {
if($report->canView($member)) return true;
}