Protect the allchanges from leaking protected information.
Add warnings.
This commit is contained in:
Mateusz Uzdowski
parent
dc5012f118
commit
35e44e92eb
|
|
@ -83,9 +83,24 @@ class VersionFeed extends SiteTreeExtension {
|
|||
$fields->addFieldToTab('Root.Settings', $publicHistory = new FieldGroup(
|
||||
new CheckboxField('PublicHistory', $this->owner->fieldLabel(_t(
|
||||
'RSSHistory.LABEL',
|
||||
'Publish public RSS feed containing every published version of this page.'))
|
||||
'Make history public'))
|
||||
)));
|
||||
$publicHistory->setTitle($this->owner->fieldLabel('Public history'));
|
||||
|
||||
$warning =
|
||||
"Publicising the history will also disclose the changes that have at the time been protected " .
|
||||
"from the public view.";
|
||||
|
||||
$fields->addFieldToTab('Root.Settings', new LiteralField('PublicHistoryWarning', $warning), 'PublicHistory');
|
||||
|
||||
if ($this->owner->CanViewType!='Anyone') {
|
||||
$warning =
|
||||
"Changing access settings in such a way that this page or pages under it become publicly<br>" .
|
||||
"accessible may result in publicising all historical changes on these pages too. Please review<br>" .
|
||||
"this section's \"Public history\" settings to ascertain only intended information is disclosed.";
|
||||
|
||||
$fields->addFieldToTab('Root.Settings', new LiteralField('PublicHistoryWarning2', $warning), 'CanViewType');
|
||||
}
|
||||
}
|
||||
|
||||
public function getSiteRSSLink() {
|
||||
|
|
|
|||
|
|
@ -29,12 +29,12 @@ class VersionFeed_Controller extends Extension {
|
|||
function changes() {
|
||||
if(!$this->owner->PublicHistory) throw new SS_HTTPResponse_Exception('Page history not viewable', 404);;
|
||||
|
||||
// Cache the diffs, otherwise it will take 5secs to generate 100 diffs which could lead to DOS.
|
||||
// Cache the diffs to remove DOS possibility.
|
||||
$cache = SS_Cache::factory('VersionFeed_Controller');
|
||||
$cache->setOption('automatic_serialization', true);
|
||||
$key = 'changes' . $this->owner->Version;
|
||||
$entries = $cache->load($key);
|
||||
if(!$entries) {
|
||||
if(!$entries || isset($_GET['flush'])) {
|
||||
$entries = $this->owner->getDiffedChanges();
|
||||
$cache->save($entries, $key);
|
||||
}
|
||||
|
|
@ -57,19 +57,27 @@ class VersionFeed_Controller extends Extension {
|
|||
|
||||
if ($lastChange) {
|
||||
|
||||
// Cache the diffs, otherwise it will take 5secs to generate 100 diffs which could lead to DOS.
|
||||
// Cache the diffs to remove DOS possibility.
|
||||
$member = Member::currentUser();
|
||||
$cache = SS_Cache::factory('VersionFeed_Controller');
|
||||
$cache->setOption('automatic_serialization', true);
|
||||
$key = 'allchanges' . preg_replace('#[^a-zA-Z0-9_]#', '', $lastChange['LastEdited']);
|
||||
$key = 'allchanges' . preg_replace('#[^a-zA-Z0-9_]#', '', $lastChange['LastEdited']) .
|
||||
($member ? $member->ID : 'public');
|
||||
|
||||
$changeList = $cache->load($key);
|
||||
if(!$changeList) {
|
||||
if(!$changeList || isset($_GET['flush'])) {
|
||||
|
||||
$changeList = new ArrayList();
|
||||
|
||||
foreach ($latestChanges as $record) {
|
||||
// Check if the page should be visible.
|
||||
// WARNING: although we are providing historical details, we check the current configuration.
|
||||
$page = SiteTree::get()->filter(array('ID'=>$record['RecordID']))->First();
|
||||
if (!$page->canView(new Member())) continue;
|
||||
|
||||
// Get the diff to the previous version.
|
||||
$version = new Versioned_Version($record);
|
||||
|
||||
$changes = $version->getDiffedChanges($version->Version, false);
|
||||
if ($changes && $changes->Count()) $changeList->push($changes->First());
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue