Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

BUGFIX: Ticket #6069 Checking of URLSegment can end in an infinite lo…

…op (when saving Page in CMS)
  • Loading branch information...
commit 856991d644b51f0dfbf0b9d0f72eb4171b68a6ca 1 parent 04e5ff0
carlos barberis cbarberis authored sminnee committed
Showing with 12 additions and 6 deletions.
  1. +5 −5 control/RequestHandler.php
  2. +7 −1 tests/control/ControllerTest.php
10 control/RequestHandler.php
View
@@ -244,18 +244,18 @@ public function hasAction($action) {
$action = strtolower($action);
$actions = $this->allowedActions();
-
+
// Check if the action is defined in the allowed actions as either a
// key or value. Note that if the action is numeric, then keys are not
// searched for actions to prevent actual array keys being recognised
// as actions.
if(is_array($actions)) {
$isKey = !is_numeric($action) && array_key_exists($action, $actions);
- $isValue = in_array($action, $actions);
-
- if($isKey || $isValue) return true;
+ $isValue = in_array($action, $actions, true);
+ $isWildcard = (in_array('*', $actions) && $this->checkAccessAction($action));
+ if($isKey || $isValue || $isWildcard) return true;
}
-
+
if(!is_array($actions) || !$this->config()->get('allowed_actions', Config::UNINHERITED | Config::EXCLUDE_EXTRA_SOURCES)) {
if($action != 'init' && $action != 'run' && method_exists($this, $action)) return true;
}
8 tests/control/ControllerTest.php
View
@@ -57,7 +57,7 @@ function testAllowedActions() {
);
$response = $this->get("ControllerTest_FullSecuredController/adminonly");
- $this->assertEquals(403, $response->getStatusCode(),
+ $this->assertEquals(404, $response->getStatusCode(),
"Actions can be globally disallowed by using asterisk (*) instead of a method name"
);
@@ -73,6 +73,12 @@ function testAllowedActions() {
$response->getStatusCode(),
"Permission codes are respected when set in \$allowed_actions"
);
+
+ $response = $this->get("ControllerTest_FullSecuredController/adminonly");
+ $this->assertEquals(200, $response->getStatusCode(),
+ "Actions can be globally disallowed by using asterisk (*) instead of a method name"
+ );
+ $this->session()->inst_set('loggedInAs', null);
}
/**
Please sign in to comment.
Something went wrong with that request. Please try again.