From 14ce51e517f5d994cb1b270fde1f41f65cf3d68b Mon Sep 17 00:00:00 2001 From: Garion Herman Date: Tue, 9 Jun 2020 21:01:09 +1200 Subject: [PATCH] NEW Improve Unrestricted Folder warning, bump core requirement to ^4.6 (#965) --- .../EditableFormField/EditableFileField.php | 26 +++++++++++++------ composer.json | 2 +- lang/en.yml | 2 +- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/code/Model/EditableFormField/EditableFileField.php b/code/Model/EditableFormField/EditableFileField.php index 76f5aa7..67f6627 100755 --- a/code/Model/EditableFormField/EditableFileField.php +++ b/code/Model/EditableFormField/EditableFileField.php @@ -5,17 +5,23 @@ namespace SilverStripe\UserForms\Model\EditableFormField; use SilverStripe\Assets\File; use SilverStripe\Assets\Folder; use SilverStripe\Core\Config\Config; +use SilverStripe\Core\Convert; +use SilverStripe\Forms\FieldList; use SilverStripe\Forms\FileField; use SilverStripe\Forms\LiteralField; use SilverStripe\Forms\NumericField; use SilverStripe\Forms\TreeDropdownField; use SilverStripe\ORM\ValidationResult; +use SilverStripe\Security\Member; use SilverStripe\UserForms\Model\EditableFormField; use SilverStripe\UserForms\Model\Submission\SubmittedFileField; /** * Allows a user to add a field that can be used to upload a file. * + * @method Folder Folder + * @property int FolderID + * @property float MaxFileSizeMB * @package userforms */ class EditableFileField extends EditableFormField @@ -60,14 +66,18 @@ class EditableFileField extends EditableFormField ) ); - $fields->addFieldToTab("Root.Main", LiteralField::create( - 'FileUploadWarning', - '

' . _t( - 'SilverStripe\\UserForms\\Model\\UserDefinedForm.FileUploadWarning', - 'Files uploaded through this field could be publicly accessible if the exact URL is known' - ) - . '

' - ), 'Type'); + // Warn the user if the folder targeted by this field is not restricted + if ($this->FolderID && !$this->Folder()->hasRestrictedAccess()) { + $fields->addFieldToTab("Root.Main", LiteralField::create( + 'FileUploadWarning', + '

' . _t( + 'SilverStripe\\UserForms\\Model\\UserDefinedForm.UnrestrictedFileUploadWarning', + 'Access to the current upload folder "{path}" is not restricted. Uploaded files will be publicly accessible if the exact URL is known.', + ['path' => Convert::raw2att($this->Folder()->Filename)] + ) + . '

' + ), 'Type'); + } $fields->addFieldToTab( 'Root.Main', diff --git a/composer.json b/composer.json index 22a9811..1554126 100644 --- a/composer.json +++ b/composer.json @@ -31,7 +31,7 @@ ], "require": { "php": ">=7.1", - "silverstripe/cms": "^4.0", + "silverstripe/cms": "^4.6", "symbiote/silverstripe-gridfieldextensions": "^3.1", "silverstripe/segment-field": "^2.0", "silverstripe/versioned": "^1.0" diff --git a/lang/en.yml b/lang/en.yml index 5e424ed..29ef343 100644 --- a/lang/en.yml +++ b/lang/en.yml @@ -261,7 +261,7 @@ en: EMAIL_RECIPIENT_UNSAVED_FORM: 'You will be able to select from valid form fields after saving this record.' EmailFromContent: 'The from address allows you to set who the email comes from. On most servers this will need to be set to an email address on the same domain name as your site. For example on yoursite.com the from address may need to be something@yoursite.com. You can however, set any email address you wish as the reply to address.' FROMADDRESS: 'Send email from' - FileUploadWarning: 'Files uploaded through this field could be publicly accessible if the exact URL is known' + UnrestrictedFileUploadWarning: 'Access to the current upload folder "{path}" is not restricted. Uploaded files will be publicly accessible if the exact URL is known.' HIDEFORMDATA: 'Hide form data from email?' ORSELECTAFIELDTOUSEASFROM: '.. or select a field to use as reply to address' ORSELECTAFIELDTOUSEASTO: '.. or select a field to use as the to address'