Merge pull request #11113 from creative-commoners/pulls/4.13/cve-2023…

…-48714 [CVE-2023-48714] Don't show or add records the member isn't allowed to
silverstripe · Jan 22, 2024 · 6fe377e · 6fe377e
2 parents 38fef1e + 873b721
commit 6fe377e
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/Forms/GridField/GridFieldAddExistingAutocompleter.php b/src/Forms/GridField/GridFieldAddExistingAutocompleter.php
@@ -16,6 +16,7 @@
 use SilverStripe\View\ArrayData;
 use SilverStripe\View\SSViewer;
 use LogicException;
+use SilverStripe\Control\HTTPResponse_Exception;
 
 /**
  * This class is is responsible for adding objects to another object's has_many
@@ -195,11 +196,14 @@ public function getManipulatedData(GridField $gridField, SS_List $dataList)
         if (empty($objectID)) {
             return $dataList;
         }
+        $gridField->State->GridFieldAddRelation = null;
         $object = DataObject::get_by_id($gridField->getModelClass(), $objectID);
         if ($object) {
+            if (!$object->canView()) {
+                throw new HTTPResponse_Exception(null, 403);
+            }
             $dataList->add($object);
         }
-        $gridField->State->GridFieldAddRelation = null;
         return $dataList;
     }
 
@@ -265,6 +269,9 @@ public function doSearch($gridField, $request)
         SSViewer::config()->set('source_file_comments', false);
         $viewer = SSViewer::fromString($this->resultsFormat);
         foreach ($results as $result) {
+            if (!$result->canView()) {
+                continue;
+            }
             $title = Convert::html2raw($viewer->process($result));
             $json[] = [
                 'label' => $title,