FIX Do now allow arbitary class creation in CMS

silverstripe · Mar 26, 2014 · bf9b22f · bf9b22f
1 parent b6194c3
commit bf9b22f
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/code/controllers/CMSMain.php b/code/controllers/CMSMain.php
@@ -865,8 +865,17 @@ public function save($data, $form) {
 	 * @uses LeftAndMainExtension->augmentNewSiteTreeItem()
 	 */
 	public function getNewItem($id, $setID = true) {
+		$parentClass = $this->stat('tree_class');
 		list($dummy, $className, $parentID, $suffix) = array_pad(explode('-',$id),4,null);
 
+		if(!is_subclass_of($className, $parentClass) && strcasecmp($className, $parentClass) != 0) {
+			$response = Security::permissionFailure($this);
+			if (!$response) {
+				$response = $this->response;
+			}
+			throw new SS_HTTPResponse_Exception($response);
+		}
+
 		$newItem = new $className();
 
 	    if( !$suffix ) {

diff --git a/tests/controller/CMSMainTest.php b/tests/controller/CMSMainTest.php
@@ -284,6 +284,27 @@ public function testBreadcrumbs() {
 
 		$this->session()->inst_set('loggedInAs', null);
 	}
+
+	public function testGetNewItem() {
+		$controller = new CMSMain();
+		$id = 'new-Page-0';
+
+		// Test success
+		$page = $controller->getNewItem($id, false);
+
+		$this->assertEquals($page->Title, 'New Page');
+		$this->assertNotEquals($page->Sort, 0);
+		$this->assertInstanceOf('Page', $page);
+
+		// Test failure
+		try {
+			$id = 'new-Member-0';
+			$member = $controller->getNewItem($id, false);
+			$this->fail('Should not be able to create a Member object');
+		} catch (SS_HTTPResponse_Exception $e) {
+			$this->assertEquals($controller->getResponse()->getStatusCode(), 302);
+		}
+	}
 }
 
 class CMSMainTest_ClassA extends Page implements TestOnly {
@@ -292,4 +313,4 @@ class CMSMainTest_ClassA extends Page implements TestOnly {
 
 class CMSMainTest_ClassB extends Page implements TestOnly {
 
-}
+}