Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

BUG adding back in the ability to unpublish a page after the allowed_act... #306

Closed
wants to merge 1 commit into from

3 participants

@candidasa

...ions security fix

@simonwelsh

This opens up some CSRF on those endpoints, that can even be achieved using GET. Perhaps the batch action handler should be reworked so that it doesn't need the method to be in $allowed_actions to call it?

@candidasa

Without this fix the "unpublish" button in the CMS breaks with a Forbidden error for me. Quite a major bug.

@simonwelsh

Yes, but with this fix you can call unpublish, publish, delete and deletefromlive with a URL, which they are not written to handle.

The problem appears to be with https://github.com/silverstripe/sapphire/blob/3.0/forms/Form.php#L292 not finding the FormAction, so disallowing access to action.

@chillu
Owner

Agree with Simon, this can't be merged as such. But: Can no longer reproduce the issue, potentially fixed by 6876c9a and/or 6876c9a

@chillu chillu closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 25, 2013
  1. @candidasa
This page is out of date. Refresh to see the latest.
Showing with 4 additions and 0 deletions.
  1. +4 −0 code/controllers/CMSMain.php
View
4 code/controllers/CMSMain.php
@@ -46,6 +46,10 @@ class CMSMain extends LeftAndMain implements CurrentPageIdentifier, PermissionPr
'treeview',
'listview',
'ListViewForm',
+ 'unpublish',
+ 'publish',
+ 'delete',
+ 'deletefromlive'
);
public function init() {
Something went wrong with that request. Please try again.