Skip to content
Permalink
Browse files

[SS-2016-012] FIX Missing ACL check on ReportAdmin

This issue exposed reports to users able to guess the URL of a Report that they were not allowed to view the report
  • Loading branch information...
dhensby authored and Damian Mooyman committed Jul 14, 2016
1 parent 4d17dcc commit 5f73d3454ecbc4850e91a0a3007102f6d4d9b853
Showing with 7 additions and 2 deletions.
  1. +7 −2 code/controllers/ReportAdmin.php
@@ -31,10 +31,12 @@ class ReportAdmin extends LeftAndMain implements PermissionProvider {
*/
protected $reportClass;
/**
* @var SS_Report
*/
protected $reportObject;
public function init() {
parent::init();
//set the report we are currently viewing from the URL
$this->reportClass = (isset($this->urlParams['ReportClass']) && $this->urlParams['ReportClass'] !== 'index')
@@ -43,6 +45,8 @@ public function init() {
$allReports = SS_Report::get_reports();
$this->reportObject = (isset($allReports[$this->reportClass])) ? $allReports[$this->reportClass] : null;
parent::init();
Requirements::css(CMS_DIR . '/css/screen.css');
// Set custom options for TinyMCE specific to ReportAdmin
@@ -68,7 +72,8 @@ public function canView($member = null) {
if(!parent::canView($member)) return false;
$hasViewableSubclasses = false;
if ($this->reportObject) return $this->reportObject->canView($member);
foreach($this->Reports() as $report) {
if($report->canView($member)) return true;
}

0 comments on commit 5f73d34

Please sign in to comment.
You can’t perform that action at this time.