Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

BUG adding back in the ability to unpublish a page after the allowed_act... #306

wants to merge 1 commit into


None yet
3 participants

...ions security fix


simonwelsh commented Mar 25, 2013

This opens up some CSRF on those endpoints, that can even be achieved using GET. Perhaps the batch action handler should be reworked so that it doesn't need the method to be in $allowed_actions to call it?

Without this fix the "unpublish" button in the CMS breaks with a Forbidden error for me. Quite a major bug.


simonwelsh commented Mar 25, 2013

Yes, but with this fix you can call unpublish, publish, delete and deletefromlive with a URL, which they are not written to handle.

The problem appears to be with https://github.com/silverstripe/sapphire/blob/3.0/forms/Form.php#L292 not finding the FormAction, so disallowing access to action.


chillu commented Apr 25, 2013

Agree with Simon, this can't be merged as such. But: Can no longer reproduce the issue, potentially fixed by 6876c9a and/or 6876c9a

@chillu chillu closed this Apr 25, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment