Merge pull request #189 from creative-commoners/pulls/5.2/cve-2024-29885

[CVE-2024-29885] Respect canView permissions for viewing reports
This commit is contained in:
Guy Sartorelli 2024-07-17 11:39:56 +12:00 committed by GitHub
commit d325683d2a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 62 additions and 3 deletions

View File

@ -124,6 +124,9 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider
return $this->httpError(404);
}
$this->reportObject = $allReports[$this->reportClass];
if (!$this->reportObject->canView()) {
return Security::permissionFailure($this);
}
}
// Delegate to sub-form

View File

@ -4,14 +4,14 @@ namespace SilverStripe\Reports\Tests;
use ReflectionClass;
use SilverStripe\Control\Controller;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Dev\SapphireTest;
use SilverStripe\Dev\FunctionalTest;
use SilverStripe\Reports\Report;
use SilverStripe\Reports\ReportAdmin;
use SilverStripe\Reports\Tests\ReportAdminTest\CannotViewReport;
use SilverStripe\Reports\Tests\ReportAdminTest\FakeReport;
use SilverStripe\Reports\Tests\ReportAdminTest\FakeReport2;
class ReportAdminTest extends SapphireTest
class ReportAdminTest extends FunctionalTest
{
public function testBreadcrumbsAreGenerated()
{
@ -46,6 +46,34 @@ class ReportAdminTest extends SapphireTest
$this->assertSame('Fake report two', $map['Title']);
}
public function provideShowReport(): array
{
return [
'cannot view' => [
'reportClass' => CannotViewReport::class,
'expected' => 403,
],
'can view' => [
'reportClass' => FakeReport::class,
'expected' => 200,
],
];
}
/**
* @dataProvider provideShowReport
*/
public function testShowReport(string $reportClass, int $expected): void
{
$this->logInWithPermission('ADMIN');
$report = new $reportClass();
$controller = $this->mockController($report);
$breadcrumbs = $controller->BreadCrumbs();
$response = $this->get($breadcrumbs[1]->Link);
$this->assertSame($expected, $response->getStatusCode());
}
/**
* @param Report $report
* @return ReportAdmin

View File

@ -0,0 +1,19 @@
<?php
namespace SilverStripe\Reports\Tests\ReportAdminTest;
use SilverStripe\Dev\TestOnly;
use SilverStripe\Reports\Report;
class CannotViewReport extends Report implements TestOnly
{
public function title()
{
return 'Cannot View report';
}
public function canView($member = null)
{
return false;
}
}

View File

@ -3,7 +3,9 @@
namespace SilverStripe\Reports\Tests\ReportAdminTest;
use SilverStripe\Dev\TestOnly;
use SilverStripe\ORM\ArrayList;
use SilverStripe\Reports\Report;
use SilverStripe\Security\Member;
class FakeReport extends Report implements TestOnly
{
@ -11,4 +13,11 @@ class FakeReport extends Report implements TestOnly
{
return 'Fake report';
}
public function sourceRecords($params = [], $sort = null, $limit = null)
{
$list = new ArrayList();
$list->setDataClass(Member::class);
return $list;
}
}