NEW Improve Unrestricted Folder warning, bump core requirement to ^4.6 (#965)

2020-06-09 21:01:09 +12:00 · 2020-06-09 21:01:09 +12:00 · 14ce51e517
parent 447be1049e
commit 14ce51e517
3 changed files with 20 additions and 10 deletions
--- a/code/Model/EditableFormField/EditableFileField.php
+++ b/code/Model/EditableFormField/EditableFileField.php
@ -5,17 +5,23 @@ namespace SilverStripe\UserForms\Model\EditableFormField;
 use SilverStripe\Assets\File;
 use SilverStripe\Assets\Folder;
 use SilverStripe\Core\Config\Config;
+use SilverStripe\Core\Convert;
+use SilverStripe\Forms\FieldList;
 use SilverStripe\Forms\FileField;
 use SilverStripe\Forms\LiteralField;
 use SilverStripe\Forms\NumericField;
 use SilverStripe\Forms\TreeDropdownField;
 use SilverStripe\ORM\ValidationResult;
+use SilverStripe\Security\Member;
 use SilverStripe\UserForms\Model\EditableFormField;
 use SilverStripe\UserForms\Model\Submission\SubmittedFileField;

 /**
 * Allows a user to add a field that can be used to upload a file.
 *
+ * @method Folder Folder
+ * @property int FolderID
+ * @property float MaxFileSizeMB
 * @package userforms
 */
 class EditableFileField extends EditableFormField
@ -60,14 +66,18 @@ class EditableFileField extends EditableFormField
            )
        );

-        $fields->addFieldToTab("Root.Main", LiteralField::create(
-            'FileUploadWarning',
-            '<p class="alert alert-info">' . _t(
-                'SilverStripe\\UserForms\\Model\\UserDefinedForm.FileUploadWarning',
-                'Files uploaded through this field could be publicly accessible if the exact URL is known'
-            )
-            . '</p>'
-        ), 'Type');
+        // Warn the user if the folder targeted by this field is not restricted
+        if ($this->FolderID && !$this->Folder()->hasRestrictedAccess()) {
+            $fields->addFieldToTab("Root.Main", LiteralField::create(
+                'FileUploadWarning',
+                '<p class="alert alert-warning">' . _t(
+                    'SilverStripe\\UserForms\\Model\\UserDefinedForm.UnrestrictedFileUploadWarning',
+                    'Access to the current upload folder "{path}" is not restricted. Uploaded files will be publicly accessible if the exact URL is known.',
+                    ['path' => Convert::raw2att($this->Folder()->Filename)]
+                )
+                . '</p>'
+            ), 'Type');
+        }

        $fields->addFieldToTab(
            'Root.Main',
--- a/composer.json
+++ b/composer.json
@ -31,7 +31,7 @@
    ],
    "require": {
        "php": ">=7.1",
-        "silverstripe/cms": "^4.0",
+        "silverstripe/cms": "^4.6",
        "symbiote/silverstripe-gridfieldextensions": "^3.1",
        "silverstripe/segment-field": "^2.0",
        "silverstripe/versioned": "^1.0"
--- a/lang/en.yml
+++ b/lang/en.yml
@ -261,7 +261,7 @@ en:
    EMAIL_RECIPIENT_UNSAVED_FORM: 'You will be able to select from valid form fields after saving this record.'
    EmailFromContent: 'The from address allows you to set who the email comes from. On most servers this will need to be set to an email address on the same domain name as your site. For example on yoursite.com the from address may need to be something@yoursite.com. You can however, set any email address you wish as the reply to address.'
    FROMADDRESS: 'Send email from'
-    FileUploadWarning: 'Files uploaded through this field could be publicly accessible if the exact URL is known'
+    UnrestrictedFileUploadWarning: 'Access to the current upload folder "{path}" is not restricted. Uploaded files will be publicly accessible if the exact URL is known.'
    HIDEFORMDATA: 'Hide form data from email?'
    ORSELECTAFIELDTOUSEASFROM: '.. or select a field to use as reply to address'
    ORSELECTAFIELDTOUSEASTO: '.. or select a field to use as the to address'