Skip to content
Browse files

FIX Do now allow arbitary class creation in CMS

  • Loading branch information...
1 parent b6194c3 commit bf9b22fd4331a6f78cec12a75262f570b025ec2d @ss23 ss23 committed Mar 19, 2014
Showing with 31 additions and 1 deletion.
  1. +9 −0 code/controllers/CMSMain.php
  2. +22 −1 tests/controller/CMSMainTest.php
View
9 code/controllers/CMSMain.php
@@ -865,8 +865,17 @@ public function save($data, $form) {
* @uses LeftAndMainExtension->augmentNewSiteTreeItem()
*/
public function getNewItem($id, $setID = true) {
+ $parentClass = $this->stat('tree_class');
list($dummy, $className, $parentID, $suffix) = array_pad(explode('-',$id),4,null);
+ if(!is_subclass_of($className, $parentClass) && strcasecmp($className, $parentClass) != 0) {
+ $response = Security::permissionFailure($this);
+ if (!$response) {
+ $response = $this->response;
+ }
+ throw new SS_HTTPResponse_Exception($response);
+ }
+
$newItem = new $className();
if( !$suffix ) {
View
23 tests/controller/CMSMainTest.php
@@ -284,6 +284,27 @@ public function testBreadcrumbs() {
$this->session()->inst_set('loggedInAs', null);
}
+
+ public function testGetNewItem() {
+ $controller = new CMSMain();
+ $id = 'new-Page-0';
+
+ // Test success
+ $page = $controller->getNewItem($id, false);
+
+ $this->assertEquals($page->Title, 'New Page');
+ $this->assertNotEquals($page->Sort, 0);
+ $this->assertInstanceOf('Page', $page);
+
+ // Test failure
+ try {
+ $id = 'new-Member-0';
+ $member = $controller->getNewItem($id, false);
+ $this->fail('Should not be able to create a Member object');
+ } catch (SS_HTTPResponse_Exception $e) {
+ $this->assertEquals($controller->getResponse()->getStatusCode(), 302);
+ }
+ }
}
class CMSMainTest_ClassA extends Page implements TestOnly {
@@ -292,4 +313,4 @@ class CMSMainTest_ClassA extends Page implements TestOnly {
class CMSMainTest_ClassB extends Page implements TestOnly {
-}
+}

0 comments on commit bf9b22f

Please sign in to comment.
Something went wrong with that request. Please try again.