Permalink
Browse files

FIX Group->canEdit() correct non-admin checks (fixes #8250)

Due to changed return value of DataObject::get(),
the (negated) check always returned false.
This wasn't noticed in 3.0 because Group->canEdit() is rarely
enforced, but does become noticeable in 3.1 where GridField
checks those object-level permissions.

Thanks to @purplespider for reporting!
  • Loading branch information...
1 parent a1beda1 commit 79eacb2439025e11d2d0c5ec1b320c4d7d7a5e70 @chillu chillu committed Feb 7, 2013
Showing with 1 addition and 1 deletion.
  1. +1 −1 security/Group.php
View
@@ -392,7 +392,7 @@ public function canEdit($member = null) {
// without this check, a user would be able to add himself to an administrators group
// with just access to the "Security" admin interface
Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") &&
- !DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
+ !Permission::get()->filter(array('GroupID' => $this->ID, 'Code' => 'ADMIN'))->exists()
)
) {
return true;

0 comments on commit 79eacb2

Please sign in to comment.