Merge branch '5.15' into 5

code/Model/Submission/SubmittedFileField.php

@@ -6,6 +6,8 @@ use SilverStripe\Assets\File;
 use SilverStripe\Control\Director;
 use SilverStripe\ORM\FieldType\DBField;
 use SilverStripe\Versioned\Versioned;
+use SilverStripe\Security\Member;
+use SilverStripe\Security\Security;
 
 /**
  * A file uploaded on a {@link UserDefinedForm} and attached to a single
@@ -41,27 +43,40 @@ class SubmittedFileField extends SubmittedFormField
     {
         $name = $this->getFileName();
         $link = $this->getLink(false);
-        $title = _t(__CLASS__ . '.DOWNLOADFILE', 'Download File');
-        $message = _t(__CLASS__ . '.INSUFFICIENTRIGHTS', 'You don\'t have the right permissions to download this file');
-        $file = $this->getUploadedFileFromDraft();
-
         if ($link) {
-            if ($file->canView()) {
+            $title = _t(__CLASS__ . '.DOWNLOADFILE', 'Download File');
+            $file = $this->getUploadedFileFromDraft();
+            if (!$file->canView()) {
+                if (Security::getCurrentUser()) {
+                    // Logged in CMS user without permissions to view file in the CMS
+                    $default = 'You don\'t have the right permissions to download this file';
+                    $message = _t(__CLASS__ . '..INSUFFICIENTRIGHTS', $default);
+                    return DBField::create_field('HTMLText', sprintf(
+                        '<i class="icon font-icon-lock"></i> %s - <em>%s</em>',
+                        htmlspecialchars($name, ENT_QUOTES),
+                        htmlspecialchars($message, ENT_QUOTES)
+                    ));
+                } else {
+                    // Userforms submission filled in by non-logged in user being emailed to recipient
+                    $message = _t(__CLASS__ . '.YOUMUSTBELOGGEDIN', 'You must be logged in to view this file');
+                    return DBField::create_field('HTMLText', sprintf(
+                        '%s - <a href="%s" target="_blank">%s</a> - <em>%s</em>',
+                        htmlspecialchars($name, ENT_QUOTES),
+                        htmlspecialchars($link, ENT_QUOTES),
+                        htmlspecialchars($title, ENT_QUOTES),
+                        htmlspecialchars($message, ENT_QUOTES)
+                    ));
+                }
+            } else {
+                // Logged in CMS user with permissions to view file in the CMS
                 return DBField::create_field('HTMLText', sprintf(
                     '%s - <a href="%s" target="_blank">%s</a>',
                     htmlspecialchars($name, ENT_QUOTES),
                     htmlspecialchars($link, ENT_QUOTES),
                     htmlspecialchars($title, ENT_QUOTES)
                 ));
-            } else {
-                return DBField::create_field('HTMLText', sprintf(
-                    '<i class="icon font-icon-lock"></i> %s - <em>%s</em>',
-                    htmlspecialchars($name, ENT_QUOTES),
-                    htmlspecialchars($message, ENT_QUOTES)
-                ));
             }
         }
-
         return false;
     }
 

lang/en.yml

@@ -328,6 +328,7 @@ en:
       one: 'A Submitted File Field'
       other: '{count} Submitted File Fields'
     SINGULARNAME: 'Submitted File Field'
+    YOUMUSTBELOGGEDIN: 'You must be logged in to view this file'
     has_one_UploadedFile: 'Uploaded file'
   SilverStripe\UserForms\Model\Submission\SubmittedForm:
     PLURALNAME: 'Submitted Forms'

tests/php/Model/SubmittedFileFieldTest.php

@@ -73,34 +73,45 @@ class SubmittedFileFieldTest extends SapphireTest
         // Set an explicit base URL so we get a reliable value for the test
         Director::config()->set('alternate_base_url', 'http://mysite.com');
         $fileName = $this->submittedFile->getFileName();
-        $message = "You don't have the right permissions to download this file";
+        $link = 'http://mysite.com/assets/3c01bdbb26/test-SubmittedFileFieldTest.txt';
 
         $this->file->CanViewType = 'OnlyTheseUsers';
         $this->file->write();
 
-        $this->loginWithPermission('ADMIN');
+        // Userforms submission filled in by non-logged in user being emailed to recipient
+        $this->logOut();
         $this->assertEquals(
             sprintf(
-                '%s - <a href="http://mysite.com/assets/3c01bdbb26/test-SubmittedFileFieldTest.txt" target="_blank">Download File</a>',
-                $fileName
+                '%s - <a href="%s" target="_blank">%s</a> - <em>%s</em>',
+                $fileName,
+                $link,
+                'Download File',
+                'You must be logged in to view this file'
             ),
             $this->submittedFile->getFormattedValue()->value
         );
 
-        $this->loginWithPermission('CMS_ACCESS_CMSMain');
+        // Logged in CMS user without permissions to view file in the CMS
+        $this->logInWithPermission('CMS_ACCESS_CMSMain');
         $this->assertEquals(
             sprintf(
                 '<i class="icon font-icon-lock"></i> %s - <em>%s</em>',
                 $fileName,
-                $message
+                'You don&#039;t have the right permissions to download this file'
             ),
             $this->submittedFile->getFormattedValue()->value
         );
 
-        $store = Injector::inst()->get(AssetStore::class);
-        $this->assertFalse(
-            $store->canView($fileName, $this->file->getHash()),
-            'Users without canView rights on the file should not have been session granted access to it'
+        // Logged in CMS user with permissions to view file in the CMS
+        $this->loginWithPermission('ADMIN');
+        $this->assertEquals(
+            sprintf(
+                '%s - <a href="%s" target="_blank">%s</a>',
+                $fileName,
+                $link,
+                'Download File'
+            ),
+            $this->submittedFile->getFormattedValue()->value
         );
     }
 }