From a1ee94ce61d90e9424f48bb2cb1f56e8016edf75 Mon Sep 17 00:00:00 2001
From: Guy Sartorelli <guy.sartorelli@silverstripe.com>
Date: Thu, 10 Nov 2022 01:56:21 +0000
Subject: [PATCH 1/3] Update translations

---
 composer.json | 5 +----
 lang/eo.yml   | 3 ++-
 lang/nl.yml   | 3 ++-
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/composer.json b/composer.json
index 77e0854..7caa380 100644
--- a/composer.json
+++ b/composer.json
@@ -34,9 +34,6 @@
         }
     },
     "extra": {
-        "branch-alias": {
-            "dev-master": "2.x-dev"
-        },
         "expose": [
             "client/javascript",
             "client/css"
@@ -44,4 +41,4 @@
     },
     "minimum-stability": "dev",
     "prefer-stable": true
-}
+}
\ No newline at end of file
diff --git a/lang/eo.yml b/lang/eo.yml
index 0af2944..051be19 100644
--- a/lang/eo.yml
+++ b/lang/eo.yml
@@ -53,11 +53,12 @@ eo:
       one: 'Unu subreteja domajno'
       other: '{count} subretejaj domajnoj'
     PROTOCOL_AUTOMATIC: Aŭtomata
-    PROTOCOL_DESCRIPTION: 'Marki ĉi tion kiel la aprioran domajnon por ĉi tiu subretejo'
+    PROTOCOL_DESCRIPTION: 'Kiam generante ligilojn al ĉi tiu subretejo, uzu la elektitan protokolon.'
     PROTOCOL_HTTP: 'http://'
     PROTOCOL_HTTPS: 'https://'
     Protocol: Protokolo
     SINGULARNAME: 'Subreteja domajno'
+    ISPRIMARY_DESCRIPTION: 'Marki ĉi tion kiel la aprioran domajnon por ĉi tiu subretejo'
   SilverStripe\Subsites\Pages\SubsitesVirtualPage:
     DESCRIPTION: 'Vidigas la enhavon de paĝo en alia subretejo'
     OverrideNote: 'Anstataŭigas hereditan valoron el la fonto'
diff --git a/lang/nl.yml b/lang/nl.yml
index a49f085..ca82dc4 100644
--- a/lang/nl.yml
+++ b/lang/nl.yml
@@ -53,11 +53,12 @@ nl:
       one: 'Een subsite domein'
       other: '{count} subsite domeinen'
     PROTOCOL_AUTOMATIC: Automatisch
-    PROTOCOL_DESCRIPTION: 'Markeer als standaard domein voor deze subsite'
+    PROTOCOL_DESCRIPTION: 'Wordt gebruikt bij het genereren van links naar deze subsite. <br />''Automatisch'' houdt in dat het huidige protocol gebruikt zal worden.'
     PROTOCOL_HTTP: 'http://'
     PROTOCOL_HTTPS: 'https://'
     Protocol: Protocol
     SINGULARNAME: 'Subsite Domein'
+    ISPRIMARY_DESCRIPTION: 'Dit is de standaard domeinnaam voor deze subsite'
   SilverStripe\Subsites\Pages\SubsitesVirtualPage:
     DESCRIPTION: 'Toon de inhoud van een pagina op een andere subsite'
     OverrideNote: 'Overschrijft de overgenomen tekst van de gelinkte pagina'

From 5f489b1df93d1424f24555ee199a2bd801f08eeb Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Wed, 14 Dec 2022 10:43:53 +1300
Subject: [PATCH 2/3] FIX Do not show copy to subsite buttons in history viewer

---
 src/Extensions/SiteTreeSubsites.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Extensions/SiteTreeSubsites.php b/src/Extensions/SiteTreeSubsites.php
index 58ca33d..d76de68 100644
--- a/src/Extensions/SiteTreeSubsites.php
+++ b/src/Extensions/SiteTreeSubsites.php
@@ -29,6 +29,7 @@ use SilverStripe\Subsites\Model\Subsite;
 use SilverStripe\Subsites\Service\ThemeResolver;
 use SilverStripe\Subsites\State\SubsiteState;
 use SilverStripe\View\SSViewer;
+use SilverStripe\VersionedAdmin\Controllers\HistoryViewerController;
 
 /**
  * Extension for the SiteTree object to add subsites support
@@ -117,10 +118,12 @@ class SiteTreeSubsites extends DataExtension
             $subsitesMap = new Map(ArrayList::create());
         }
 
+        $viewingPageHistory = Controller::has_curr() && Controller::curr() instanceof HistoryViewerController;
+
         // Master page edit field (only allowed from default subsite to avoid inconsistent relationships)
         $isDefaultSubsite = $this->owner->SubsiteID == 0 || $this->owner->Subsite()->DefaultSite;
 
-        if ($isDefaultSubsite && $subsitesMap->count()) {
+        if ($isDefaultSubsite && $subsitesMap->count() && !$viewingPageHistory) {
             $fields->addFieldToTab(
                 'Root.Main',
                 ToggleCompositeField::create(

From 73f3d15bfb90ba779dd5498fcc5ae4ab292d6272 Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Thu, 10 Nov 2022 15:25:53 +1300
Subject: [PATCH 3/3] [CVE-2022-42949] Subsite file permissions

---
 src/Extensions/FileSubsites.php |  6 ++--
 tests/php/FileSubsitesTest.php  | 61 +++++++++++++++++++++++++++++++++
 tests/php/SubsiteTest.yml       | 26 ++++++++++++++
 3 files changed, 90 insertions(+), 3 deletions(-)

diff --git a/src/Extensions/FileSubsites.php b/src/Extensions/FileSubsites.php
index 85defa9..39a7a96 100644
--- a/src/Extensions/FileSubsites.php
+++ b/src/Extensions/FileSubsites.php
@@ -116,9 +116,9 @@ class FileSubsites extends DataExtension
         }
 
         // Check the CMS_ACCESS_SecurityAdmin privileges on the subsite that owns this group
-        $subsiteID = SubsiteState::singleton()->getSubsiteId();
-        if ($subsiteID && $subsiteID == $this->owner->SubsiteID) {
-            return true;
+        $currentSubsiteID = SubsiteState::singleton()->getSubsiteId();
+        if ($currentSubsiteID && $currentSubsiteID !== $this->owner->SubsiteID) {
+            return false;
         }
 
         return SubsiteState::singleton()->withState(function (SubsiteState $newState) use ($member) {
diff --git a/tests/php/FileSubsitesTest.php b/tests/php/FileSubsitesTest.php
index 3aa6a6c..60f40c2 100644
--- a/tests/php/FileSubsitesTest.php
+++ b/tests/php/FileSubsitesTest.php
@@ -8,6 +8,7 @@ use SilverStripe\Core\Config\Config;
 use SilverStripe\Forms\FieldList;
 use SilverStripe\Subsites\Extensions\FileSubsites;
 use SilverStripe\Subsites\Model\Subsite;
+use SilverStripe\Security\Member;
 
 class FileSubsitesTest extends BaseSubsiteTest
 {
@@ -65,4 +66,64 @@ class FileSubsitesTest extends BaseSubsiteTest
         $file->onAfterUpload();
         $this->assertEquals($folder->SubsiteID, $file->SubsiteID);
     }
+
+    /**
+     * @dataProvider provideTestCanEdit
+     */
+    public function testCanEdit(
+        string $fileKey,
+        string $memberKey,
+        string $currentSubsiteKey,
+        bool $expected
+    ): void {
+        $file = $this->objFromFixture(File::class, $fileKey);
+        $subsiteID = ($currentSubsiteKey === 'mainsite')
+            ? 0 : $this->objFromFixture(Subsite::class, $currentSubsiteKey)->ID;
+        $member = $this->objFromFixture(Member::class, $memberKey);
+        Subsite::changeSubsite($subsiteID);
+        $this->assertSame($expected, $file->canEdit($member));
+    }
+
+    public function provideTestCanEdit(): array
+    {
+        $ret = [];
+        $data = [
+            // file
+            'subsite1file' => [
+                // member - has permissions to edit the file
+                'filetestyes' => [
+                    // current subite => expected canEdit()
+                    'subsite1' => true,
+                    'subsite2' => false,
+                    'mainsite' => true
+                ],
+                // member - does not have permissions to edit the file
+                'filetestno' => [
+                    'subsite1' => false,
+                    'subsite2' => false,
+                    'mainsite' => false
+                ],
+            ],
+            'mainsitefile' => [
+                'filetestyes' => [
+                    'subsite1' => true,
+                    'subsite2' => true,
+                    'mainsite' => true
+                ],
+                'filetestno' => [
+                    'subsite1' => false,
+                    'subsite2' => false,
+                    'mainsite' => false
+                ],
+            ]
+        ];
+        foreach (array_keys($data) as $fileKey) {
+            foreach (array_keys($data[$fileKey]) as $memberKey) {
+                foreach ($data[$fileKey][$memberKey] as $currentSubsiteKey => $expected) {
+                    $ret[] = [$fileKey, $memberKey, $currentSubsiteKey, $expected];
+                }
+            }
+        }
+        return $ret;
+    }
 }
diff --git a/tests/php/SubsiteTest.yml b/tests/php/SubsiteTest.yml
index 3096781..cc26248 100644
--- a/tests/php/SubsiteTest.yml
+++ b/tests/php/SubsiteTest.yml
@@ -159,6 +159,10 @@ SilverStripe\Security\Group:
     Code: subsite1_group_via_role
     AccessAllSubsites: 1
     Roles: =>SilverStripe\Security\PermissionRole.role1
+  filetest:
+    Title: filetest
+    Code: filetest
+    AccessAllSubsites: 1
 SilverStripe\Security\Permission:
   admin:
     Code: ADMIN
@@ -193,6 +197,9 @@ SilverStripe\Security\Permission:
   adminsubsite1:
     Code: ADMIN
     GroupID: =>SilverStripe\Security\Group.subsite1admins
+  filetest:
+    Code: CMS_ACCESS_CMSMain
+    GroupID: =>SilverStripe\Security\Group.filetest
 
 SilverStripe\Security\Member:
   admin:
@@ -222,7 +229,26 @@ SilverStripe\Security\Member:
   subsite1member2:
     Email: subsite1member2@test.com
     Groups: =>SilverStripe\Security\Group.subsite1_group_via_role
+  filetestyes:
+    Email: filetestyes@test.com
+    Groups: =>SilverStripe\Security\Group.filetest
+  filetestno:
+    Email: filetestno@test.com
 
 SilverStripe\SiteConfig\SiteConfig:
   config:
     CanCreateTopLevelType: LoggedInUsers
+
+SilverStripe\Assets\File:
+  subsite1file:
+    Name: subsitefile.pdf
+    Title: subsitefile
+    SubsiteID: =>SilverStripe\Subsites\Model\Subsite.subsite1
+    CanEditType: OnlyTheseUsers
+    EditorGroups: =>SilverStripe\Security\Group.filetest
+  mainsitefile:
+    Name: mainsitefile.pdf
+    Title: mainsitefile
+    SubsiteID: 0
+    CanEditType: OnlyTheseUsers
+    EditorGroups: =>SilverStripe\Security\Group.filetest