tonyair/silverstripe-versionfeed
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-versionfeed synced 2024-10-22 11:05:31 +02:00
Code Issues Projects Releases Wiki Activity

Protect the allchanges from leaking protected information.

Browse Source 
Add warnings.
This commit is contained in:
Mateusz Uzdowski 2013-07-23 10:07:32 +12:00
parent dc5012f118
commit 35e44e92eb
2 changed files with 29 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
code/VersionFeed.php
View File

@ -83,9 +83,24 @@ class VersionFeed extends SiteTreeExtension {
$fields->addFieldToTab('Root.Settings', $publicHistory = new FieldGroup( $fields->addFieldToTab('Root.Settings', $publicHistory = new FieldGroup(
new CheckboxField('PublicHistory', $this->owner->fieldLabel(_t( new CheckboxField('PublicHistory', $this->owner->fieldLabel(_t(
'RSSHistory.LABEL', 'RSSHistory.LABEL',
'Publish public RSS feed containing every published version of this page.')) 'Make history public'))
))); )));
$publicHistory->setTitle($this->owner->fieldLabel('Public history')); $publicHistory->setTitle($this->owner->fieldLabel('Public history'));
$warning =
"Publicising the history will also disclose the changes that have at the time been protected " .
"from the public view.";
$fields->addFieldToTab('Root.Settings', new LiteralField('PublicHistoryWarning', $warning), 'PublicHistory');
if ($this->owner->CanViewType!='Anyone') {
$warning =
"Changing access settings in such a way that this page or pages under it become publicly<br>" .
"accessible may result in publicising all historical changes on these pages too. Please review<br>" .
"this section's \"Public history\" settings to ascertain only intended information is disclosed.";
$fields->addFieldToTab('Root.Settings', new LiteralField('PublicHistoryWarning2', $warning), 'CanViewType');
}
} }
public function getSiteRSSLink() { public function getSiteRSSLink() {

18
code/VersionFeed_Controller.php
View File

@ -29,12 +29,12 @@ class VersionFeed_Controller extends Extension {
function changes() { function changes() {
if(!$this->owner->PublicHistory) throw new SS_HTTPResponse_Exception('Page history not viewable', 404);; if(!$this->owner->PublicHistory) throw new SS_HTTPResponse_Exception('Page history not viewable', 404);;
// Cache the diffs, otherwise it will take 5secs to generate 100 diffs which could lead to DOS. // Cache the diffs to remove DOS possibility.
$cache = SS_Cache::factory('VersionFeed_Controller'); $cache = SS_Cache::factory('VersionFeed_Controller');
$cache->setOption('automatic_serialization', true); $cache->setOption('automatic_serialization', true);
$key = 'changes' . $this->owner->Version; $key = 'changes' . $this->owner->Version;
$entries = $cache->load($key); $entries = $cache->load($key);
if(!$entries) { if(!$entries || isset($_GET['flush'])) {
$entries = $this->owner->getDiffedChanges(); $entries = $this->owner->getDiffedChanges();
$cache->save($entries, $key); $cache->save($entries, $key);
} }
@ -57,19 +57,27 @@ class VersionFeed_Controller extends Extension {
if ($lastChange) { if ($lastChange) {
// Cache the diffs, otherwise it will take 5secs to generate 100 diffs which could lead to DOS. // Cache the diffs to remove DOS possibility.
$member = Member::currentUser();
$cache = SS_Cache::factory('VersionFeed_Controller'); $cache = SS_Cache::factory('VersionFeed_Controller');
$cache->setOption('automatic_serialization', true); $cache->setOption('automatic_serialization', true);
$key = 'allchanges' . preg_replace('#[^a-zA-Z0-9_]#', '', $lastChange['LastEdited']); $key = 'allchanges' . preg_replace('#[^a-zA-Z0-9_]#', '', $lastChange['LastEdited']) .
($member ? $member->ID : 'public');
$changeList = $cache->load($key); $changeList = $cache->load($key);
if(!$changeList) { if(!$changeList || isset($_GET['flush'])) {
$changeList = new ArrayList(); $changeList = new ArrayList();
foreach ($latestChanges as $record) { foreach ($latestChanges as $record) {
// Check if the page should be visible.
// WARNING: although we are providing historical details, we check the current configuration.
$page = SiteTree::get()->filter(array('ID'=>$record['RecordID']))->First();
if (!$page->canView(new Member())) continue;
// Get the diff to the previous version. // Get the diff to the previous version.
$version = new Versioned_Version($record); $version = new Versioned_Version($record);
$changes = $version->getDiffedChanges($version->Version, false); $changes = $version->getDiffedChanges($version->Version, false);
if ($changes && $changes->Count()) $changeList->push($changes->First()); if ($changes && $changes->Count()) $changeList->push($changes->First());
} }