API File->canEdit() returns TRUE by default (not checking CMS perms) #872

Merged
merged 1 commit into from Nov 5, 2012

Projects

None yet

2 participants

@chillu
Member
chillu commented Oct 12, 2012

This is a measure to support form fields and controllers
interacting with files in different contexts,
for example an UploadField used in a ModelAdmin,
or a website frontend. The check for 'CMS_ACCESS_AssetAdmin'
was too restricting. This wasn't a problem in 2.x simply because
the old FileField/Upload classes didn't respect File->can*() permissions.

This doesn't create a security issue as we're still securing core upload
fields by their controllers. The only field present in core is located
in CMSFileAddController, and indirectly through HTMLEditorField->MediaForm().

See discussion at https://groups.google.com/forum/?fromgroups=#!topic/silverstripe-dev/30CXT9csKFQ

@chillu chillu API File->canEdit() returns TRUE by default (not checking CMS perms)
This is a measure to support form fields and controllers
interacting with files in different contexts,
for example an UploadField used in a ModelAdmin,
or a website frontend. The check for 'CMS_ACCESS_AssetAdmin'
was too restricting. This wasn't a problem in 2.x simply because
the old FileField/Upload classes didn't respect File->can*()
permissions.
a3295e2
@halkyon halkyon merged commit 0f55a11 into silverstripe:master Nov 5, 2012

1 check passed

default The Travis build passed
Details
@halkyon
Member
halkyon commented Nov 5, 2012

Looks fair to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment