Skip to content
This repository
Browse code

BUGFIX: Ticket #6069 Checking of URLSegment can end in an infinite lo…

…op (when saving Page in CMS)
  • Loading branch information...
commit 856991d644b51f0dfbf0b9d0f72eb4171b68a6ca 1 parent 04e5ff0
carlos barberis authored June 14, 2012 sminnee committed June 15, 2012
10  control/RequestHandler.php
@@ -244,18 +244,18 @@ public function hasAction($action) {
244 244
 		
245 245
 		$action  = strtolower($action);
246 246
 		$actions = $this->allowedActions();
247  
-		
  247
+
248 248
 		// Check if the action is defined in the allowed actions as either a
249 249
 		// key or value. Note that if the action is numeric, then keys are not
250 250
 		// searched for actions to prevent actual array keys being recognised
251 251
 		// as actions.
252 252
 		if(is_array($actions)) {
253 253
 			$isKey   = !is_numeric($action) && array_key_exists($action, $actions);
254  
-			$isValue = in_array($action, $actions);
255  
-
256  
-			if($isKey || $isValue) return true;
  254
+			$isValue = in_array($action, $actions, true);
  255
+			$isWildcard = (in_array('*', $actions) && $this->checkAccessAction($action));
  256
+			if($isKey || $isValue || $isWildcard) return true;
257 257
 		}
258  
-		
  258
+
259 259
 		if(!is_array($actions) || !$this->config()->get('allowed_actions', Config::UNINHERITED | Config::EXCLUDE_EXTRA_SOURCES)) {
260 260
 			if($action != 'init' && $action != 'run' && method_exists($this, $action)) return true;
261 261
 		}
8  tests/control/ControllerTest.php
@@ -57,7 +57,7 @@ function testAllowedActions() {
57 57
 		);
58 58
 		
59 59
 		$response = $this->get("ControllerTest_FullSecuredController/adminonly");
60  
-		$this->assertEquals(403, $response->getStatusCode(),
  60
+		$this->assertEquals(404, $response->getStatusCode(),
61 61
 			"Actions can be globally disallowed by using asterisk (*) instead of a method name"
62 62
 		);
63 63
 		
@@ -73,6 +73,12 @@ function testAllowedActions() {
73 73
 			$response->getStatusCode(), 
74 74
 			"Permission codes are respected when set in \$allowed_actions"
75 75
 		);
  76
+
  77
+		$response = $this->get("ControllerTest_FullSecuredController/adminonly");
  78
+		$this->assertEquals(200, $response->getStatusCode(),
  79
+			"Actions can be globally disallowed by using asterisk (*) instead of a method name"
  80
+		);
  81
+		$this->session()->inst_set('loggedInAs', null);
76 82
 	}
77 83
 	
78 84
 	/**

0 notes on commit 856991d

Please sign in to comment.
Something went wrong with that request. Please try again.