mirror of
https://github.com/silverstripe/silverstripe-reports
synced 2024-10-22 09:05:53 +00:00
Merge pull request #189 from creative-commoners/pulls/5.2/cve-2024-29885
[CVE-2024-29885] Respect canView permissions for viewing reports
This commit is contained in:
commit
d325683d2a
@ -124,6 +124,9 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider
|
|||||||
return $this->httpError(404);
|
return $this->httpError(404);
|
||||||
}
|
}
|
||||||
$this->reportObject = $allReports[$this->reportClass];
|
$this->reportObject = $allReports[$this->reportClass];
|
||||||
|
if (!$this->reportObject->canView()) {
|
||||||
|
return Security::permissionFailure($this);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Delegate to sub-form
|
// Delegate to sub-form
|
||||||
|
@ -4,14 +4,14 @@ namespace SilverStripe\Reports\Tests;
|
|||||||
|
|
||||||
use ReflectionClass;
|
use ReflectionClass;
|
||||||
use SilverStripe\Control\Controller;
|
use SilverStripe\Control\Controller;
|
||||||
use SilverStripe\Control\HTTPRequest;
|
use SilverStripe\Dev\FunctionalTest;
|
||||||
use SilverStripe\Dev\SapphireTest;
|
|
||||||
use SilverStripe\Reports\Report;
|
use SilverStripe\Reports\Report;
|
||||||
use SilverStripe\Reports\ReportAdmin;
|
use SilverStripe\Reports\ReportAdmin;
|
||||||
|
use SilverStripe\Reports\Tests\ReportAdminTest\CannotViewReport;
|
||||||
use SilverStripe\Reports\Tests\ReportAdminTest\FakeReport;
|
use SilverStripe\Reports\Tests\ReportAdminTest\FakeReport;
|
||||||
use SilverStripe\Reports\Tests\ReportAdminTest\FakeReport2;
|
use SilverStripe\Reports\Tests\ReportAdminTest\FakeReport2;
|
||||||
|
|
||||||
class ReportAdminTest extends SapphireTest
|
class ReportAdminTest extends FunctionalTest
|
||||||
{
|
{
|
||||||
public function testBreadcrumbsAreGenerated()
|
public function testBreadcrumbsAreGenerated()
|
||||||
{
|
{
|
||||||
@ -46,6 +46,34 @@ class ReportAdminTest extends SapphireTest
|
|||||||
$this->assertSame('Fake report two', $map['Title']);
|
$this->assertSame('Fake report two', $map['Title']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function provideShowReport(): array
|
||||||
|
{
|
||||||
|
return [
|
||||||
|
'cannot view' => [
|
||||||
|
'reportClass' => CannotViewReport::class,
|
||||||
|
'expected' => 403,
|
||||||
|
],
|
||||||
|
'can view' => [
|
||||||
|
'reportClass' => FakeReport::class,
|
||||||
|
'expected' => 200,
|
||||||
|
],
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider provideShowReport
|
||||||
|
*/
|
||||||
|
public function testShowReport(string $reportClass, int $expected): void
|
||||||
|
{
|
||||||
|
$this->logInWithPermission('ADMIN');
|
||||||
|
$report = new $reportClass();
|
||||||
|
$controller = $this->mockController($report);
|
||||||
|
$breadcrumbs = $controller->BreadCrumbs();
|
||||||
|
$response = $this->get($breadcrumbs[1]->Link);
|
||||||
|
|
||||||
|
$this->assertSame($expected, $response->getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param Report $report
|
* @param Report $report
|
||||||
* @return ReportAdmin
|
* @return ReportAdmin
|
||||||
|
19
tests/ReportAdminTest/CannotViewReport.php
Normal file
19
tests/ReportAdminTest/CannotViewReport.php
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace SilverStripe\Reports\Tests\ReportAdminTest;
|
||||||
|
|
||||||
|
use SilverStripe\Dev\TestOnly;
|
||||||
|
use SilverStripe\Reports\Report;
|
||||||
|
|
||||||
|
class CannotViewReport extends Report implements TestOnly
|
||||||
|
{
|
||||||
|
public function title()
|
||||||
|
{
|
||||||
|
return 'Cannot View report';
|
||||||
|
}
|
||||||
|
|
||||||
|
public function canView($member = null)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
@ -3,7 +3,9 @@
|
|||||||
namespace SilverStripe\Reports\Tests\ReportAdminTest;
|
namespace SilverStripe\Reports\Tests\ReportAdminTest;
|
||||||
|
|
||||||
use SilverStripe\Dev\TestOnly;
|
use SilverStripe\Dev\TestOnly;
|
||||||
|
use SilverStripe\ORM\ArrayList;
|
||||||
use SilverStripe\Reports\Report;
|
use SilverStripe\Reports\Report;
|
||||||
|
use SilverStripe\Security\Member;
|
||||||
|
|
||||||
class FakeReport extends Report implements TestOnly
|
class FakeReport extends Report implements TestOnly
|
||||||
{
|
{
|
||||||
@ -11,4 +13,11 @@ class FakeReport extends Report implements TestOnly
|
|||||||
{
|
{
|
||||||
return 'Fake report';
|
return 'Fake report';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function sourceRecords($params = [], $sort = null, $limit = null)
|
||||||
|
{
|
||||||
|
$list = new ArrayList();
|
||||||
|
$list->setDataClass(Member::class);
|
||||||
|
return $list;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user