Browse files

FIX Privilege escalation through Group and Member CSV upload (SS-2013…

  • Loading branch information...
1 parent 68ca47b commit 46556b609e7ec32901e3cfac9844932799731929 @chillu chillu committed Aug 30, 2013
Showing with 37 additions and 21 deletions.
  1. +33 −21 admin/code/SecurityAdmin.php
  2. +4 −0 docs/en/changelogs/3.0.6.md
View
54 admin/code/SecurityAdmin.php
@@ -86,7 +86,7 @@ public function getEditForm($id = null, $fields = null) {
return $item->getBreadcrumbs(' > ');
}
));
-
+
$fields = new FieldList(
$root = new TabSet(
'Root',
@@ -100,34 +100,42 @@ public function getEditForm($id = null, $fields = null) {
. ' database'
)
)
- ),
- new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3),
- new LiteralField(
- 'MemberImportFormIframe',
- sprintf(
- '<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" frameBorder="0">'
- . '</iframe>',
- $this->Link('memberimport')
- )
)
),
$groupsTab = new Tab('Groups', singleton('Group')->i18n_plural_name(),
- $groupList,
- new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3),
- new LiteralField(
- 'GroupImportFormIframe',
- sprintf(
- '<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" frameBorder="0">'
- . '</iframe>',
- $this->Link('groupimport')
- )
- )
+ $groupList
)
),
// necessary for tree node selection in LeftAndMain.EditForm.js
new HiddenField('ID', false, 0)
);
+ // Add import capabilities. Limit to admin since the import logic can affect assigned permissions
+ if(Permission::check('ADMIN')) {
+ $fields->addFieldsToTab('Root.Users', array(
+ new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3),
+ new LiteralField(
+ 'MemberImportFormIframe',
+ sprintf(
+ '<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" frameBorder="0">'
+ . '</iframe>',
+ $this->Link('memberimport')
+ )
+ )
+ ));
+ $fields->addFieldsToTab('Root.Groups', array(
+ new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3),
+ new LiteralField(
+ 'GroupImportFormIframe',
+ sprintf(
+ '<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" frameBorder="0">'
+ . '</iframe>',
+ $this->Link('groupimport')
+ )
+ )
+ ));
+ }
+
// Tab nav in CMS is rendered through separate template
$root->setTemplate('CMSTabSet');
@@ -195,6 +203,8 @@ public function memberimport() {
* @return Form
*/
public function MemberImportForm() {
+ if(!Permission::check('ADMIN')) return false;
+
$group = $this->currentPage();
$form = new MemberImportForm(
$this,
@@ -225,6 +235,8 @@ public function groupimport() {
* @return Form
*/
public function GroupImportForm() {
+ if(!Permission::check('ADMIN')) return false;
+
$form = new GroupImportForm(
$this,
'GroupImportForm'
@@ -306,7 +318,7 @@ public function providePermissions() {
/**
* The permissions represented in the $codes will not appearing in the form
* containing {@link PermissionCheckboxSetField} so as not to be checked / unchecked.
- *
+ *
* @deprecated 3.1 Use "Permission.hidden_permissions" config setting instead
* @param $codes String|Array
*/
View
4 docs/en/changelogs/3.0.6.md
@@ -26,6 +26,10 @@ a custom start up script will still process all flush requests as normal.
### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)
+
+### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)
+
+See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)
## Upgrading
* If you have created your own composite database fields, then you should amend the setValue() to allow the passing of

0 comments on commit 46556b6

Please sign in to comment.