Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Make AssetAdmin obey file permissions #952

Merged
merged 1 commit into from

2 participants

@hdrlab

This updates Silverstripe 2.4.x's AssetAdmin to obey per-file/folder permissions.

NOTE: I noticed that Silverstripe 3's AssetAdmin checks a canAddChildren() function. This patch doesn't use that, as I'm assuming that this is new in SS 3. If this is not the case, then this patch will have to be updated.

@hdrlab hdrlab Make AssetAdmin obey file permissions
This updates Silverstripe 2.4.x's AssetAdmin to obey per-file/folder permissions. 

NOTE: I noticed that Silverstripe 3's AssetAdmin checks a canAddChildren() function. This patch doesn't use that, as I'm assuming that this is new in SS 3. If this is not the case, then this patch will have to be updated.
dc08172
@simonwelsh simonwelsh merged commit f53c42f into silverstripe:post-2.4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 20, 2014
  1. @hdrlab

    Make AssetAdmin obey file permissions

    hdrlab authored
    This updates Silverstripe 2.4.x's AssetAdmin to obey per-file/folder permissions. 
    
    NOTE: I noticed that Silverstripe 3's AssetAdmin checks a canAddChildren() function. This patch doesn't use that, as I'm assuming that this is new in SS 3. If this is not the case, then this patch will have to be updated.
This page is out of date. Refresh to see the latest.
Showing with 26 additions and 2 deletions.
  1. +26 −2 code/AssetAdmin.php
View
28 code/AssetAdmin.php
@@ -122,7 +122,7 @@ function uploadiframe() {
if($id) $folder = DataObject::get_by_id("Folder", $id);
else $folder = singleton('Folder');
- return array( 'CanUpload' => $folder->canEdit());
+ return array( 'CanUpload' => $folder->canCreate());
}
/**
@@ -215,6 +215,8 @@ function doUpload($data, $form) {
} else {
$folder = singleton('Folder');
}
+
+ if(!$folder->canCreate()) return Security::permissionFailure($this);
foreach($processedFiles as $filePostId => $tmpFile) {
if($tmpFile['error'] == UPLOAD_ERR_NO_TMP_DIR) {
@@ -367,7 +369,7 @@ function getEditForm($id) {
}
if(!$record->canEdit()) {
- $form->makeReadonly();
+ $fields->replaceField('Title', $fields->dataFieldByName('Title')->performReadonlyTransformation());
}
$this->extend('updateEditForm', $form);
@@ -385,11 +387,18 @@ public function movemarked($urlParams, $form) {
$destFolderID = ($_REQUEST['DestFolderID'] == 'root') ? 0 : $_REQUEST['DestFolderID'];
$fileList = "'" . ereg_replace(' *, *',"','",trim(Convert::raw2sql($_REQUEST['FileIDs']))) . "'";
$numFiles = 0;
+
+ $destFolder = DataObject::get("Folder", "\"File\".\"ID\" = ($destFolderID)");
+ if(!$destFolder || $destFolder->ID == 0){
+ user_error("Destination folder could be found!", E_USER_ERROR);
+ }
+ if(!$destFolder->canEdit()) return Security::permissionFailure($this);
if($fileList != "''") {
$files = DataObject::get("File", "\"File\".\"ID\" IN ($fileList)");
if($files) {
foreach($files as $file) {
+ if(!$file->canEdit()) return Security::permissionFailure($this)
if($file instanceof Image) {
$file->deleteFormattedImages();
}
@@ -427,6 +436,8 @@ public function deletemarked($urlParams, $form) {
if($files) {
$brokenPages = array();
foreach($files as $file) {
+ if(!$file->canDelete()) return Security::permissionFailure($this);
+
$brokenPages = array_merge($brokenPages, $file->BackLinkTracking()->toArray());
if($file instanceof Image) {
$file->deleteFormattedImages();
@@ -488,6 +499,7 @@ public function getfile() {
public function savefile($data, $form) {
$record = DataObject::get_by_id("File", $data['ID']);
if(!$record) return $this->httpError(400);
+ if(!$record->canEdit()) return Security::permissionFailure($this);
$form->saveInto($record);
$record->write();
@@ -578,6 +590,15 @@ public function addfolder($request) {
if(!$parentObj || !$parentObj->ID) $parent = 0;
}
+ // Security check
+ if(isset($parentObj->ID)) {
+ if(!$parentObj->canCreate()) { return Security::permissionFailure($this); }
+ }
+ else
+ {
+ if(!singleton('Folder')->canCreate()) { return Security::permissionFailure($this); }
+ }
+
// Get the folder to be created
if(isset($parentObj->ID)) $filename = $parentObj->FullPath . $name;
else $filename = ASSETS_PATH . '/' . $name;
@@ -647,6 +668,7 @@ public function deletefolder($data, $form) {
if(is_numeric($id)) {
$record = DataObject::get_by_id($this->stat('tree_class'), $id);
if($record) {
+ if(!$record->canDelete()) { return Security::permissionFailure($this); }
$script .= $this->deleteTreeNodeJS($record);
$record->delete();
$record->destroy();
@@ -675,6 +697,8 @@ public function removefile($request){
$file = DataObject::get_by_id('File', $fileID);
if(!$file) return $this->httpError(400);
+ if(!$file->canDelete()) { return Security::permissionFailure($this); }
+
// Delete the temp verions of this file in assets/_resampled
if($file instanceof Image) {
$file->deleteFormattedImages();
Something went wrong with that request. Please try again.