Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


BUG adding back in the ability to unpublish a page after the allowed_act... #306

wants to merge 1 commit into from

3 participants


...ions security fix


This opens up some CSRF on those endpoints, that can even be achieved using GET. Perhaps the batch action handler should be reworked so that it doesn't need the method to be in $allowed_actions to call it?


Without this fix the "unpublish" button in the CMS breaks with a Forbidden error for me. Quite a major bug.


Yes, but with this fix you can call unpublish, publish, delete and deletefromlive with a URL, which they are not written to handle.

The problem appears to be with not finding the FormAction, so disallowing access to action.


Agree with Simon, this can't be merged as such. But: Can no longer reproduce the issue, potentially fixed by 6876c9a and/or 6876c9a

@chillu chillu closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 25, 2013
  1. @candidasa
This page is out of date. Refresh to see the latest.
Showing with 4 additions and 0 deletions.
  1. +4 −0 code/controllers/CMSMain.php
4 code/controllers/CMSMain.php
@@ -46,6 +46,10 @@ class CMSMain extends LeftAndMain implements CurrentPageIdentifier, PermissionPr
+ 'unpublish',
+ 'publish',
+ 'delete',
+ 'deletefromlive'
public function init() {
Something went wrong with that request. Please try again.