From 8797f1f41e1a58e6866351a6eb20ebc1a6e24a88 Mon Sep 17 00:00:00 2001 From: Sabina Talipova <87288324+sabina-talipova@users.noreply.github.com> Date: Thu, 9 Nov 2023 10:06:58 +1300 Subject: [PATCH] ENH Restrict access to getJobStatus execution (#113) --- .../javascript/BrokenExternalLinksReport.js | 16 +++++----- .../CMSExternalLinksController.php | 7 +++++ tests/php/ExternalLinksTest.php | 29 +++++++++++++++++-- 3 files changed, 43 insertions(+), 9 deletions(-) diff --git a/client/javascript/BrokenExternalLinksReport.js b/client/javascript/BrokenExternalLinksReport.js index de33077..572fae1 100644 --- a/client/javascript/BrokenExternalLinksReport.js +++ b/client/javascript/BrokenExternalLinksReport.js @@ -17,6 +17,7 @@ }, start: function() { + var self = this; // initiate a new job $('.external-links-report__report-progress') .empty() @@ -25,10 +26,14 @@ $.ajax({ url: "admin/externallinks/start", async: true, - timeout: 3000 + timeout: 3000, + success: function() { + self.poll(); + }, + error: function() { + self.buttonReset(); + } }); - - this.poll(); }, /** @@ -125,10 +130,7 @@ $('.external-links-report__create-report').poll(); }, 1000)); }, - error: function(e) { - if (typeof console !== 'undefined') { - console.log(e); - } + error: function() { self.buttonReset(); } }); diff --git a/src/Controllers/CMSExternalLinksController.php b/src/Controllers/CMSExternalLinksController.php index a6cae46..1855e47 100644 --- a/src/Controllers/CMSExternalLinksController.php +++ b/src/Controllers/CMSExternalLinksController.php @@ -8,6 +8,7 @@ use SilverStripe\Control\Controller; use Symbiote\QueuedJobs\Services\QueuedJobService; use SilverStripe\Control\Middleware\HTTPCacheControlMiddleware; +use SilverStripe\Security\Permission; class CMSExternalLinksController extends Controller { @@ -24,6 +25,9 @@ class CMSExternalLinksController extends Controller */ public function getJobStatus() { + if (!Permission::check('CMS_ACCESS_CMSMain')) { + return $this->httpError(403, 'You do not have permission to access this resource'); + } // Set headers HTTPCacheControlMiddleware::singleton()->setMaxAge(0); $this->response @@ -49,6 +53,9 @@ public function getJobStatus() */ public function start() { + if (!Permission::check('CMS_ACCESS_CMSMain')) { + return $this->httpError(403, 'You do not have permission to access this resource'); + } // return if the a job is already running $status = BrokenExternalPageTrackStatus::get_latest(); if ($status && $status->Status == 'Running') { diff --git a/tests/php/ExternalLinksTest.php b/tests/php/ExternalLinksTest.php index 433ea5b..edbdd2d 100644 --- a/tests/php/ExternalLinksTest.php +++ b/tests/php/ExternalLinksTest.php @@ -3,7 +3,7 @@ namespace SilverStripe\ExternalLinks\Tests; use SilverStripe\Core\Injector\Injector; -use SilverStripe\Dev\SapphireTest; +use SilverStripe\Dev\FunctionalTest; use SilverStripe\ExternalLinks\Model\BrokenExternalPageTrackStatus; use SilverStripe\ExternalLinks\Reports\BrokenExternalLinksReport; use SilverStripe\ExternalLinks\Tasks\CheckExternalLinksTask; @@ -13,7 +13,7 @@ use SilverStripe\i18n\i18n; use SilverStripe\Reports\Report; -class ExternalLinksTest extends SapphireTest +class ExternalLinksTest extends FunctionalTest { protected static $fixture_file = 'ExternalLinksTest.yml'; @@ -125,4 +125,29 @@ public function testArchivedPagesAreHiddenFromReport() // Ensure report does not list the link associated with an archived page $this->assertEquals(3, BrokenExternalLinksReport::create()->sourceRecords()->count()); } + + public function provideGetJobStatus(): array + { + return [ + 'ADMIN - valid permission' => ['ADMIN', 200], + 'CMS_ACCESS_CMSMain - valid permission' => ['CMS_ACCESS_CMSMain', 200], + 'VIEW_SITE - not enough permission' => ['VIEW_SITE', 403], + ]; + } + + /** + * @dataProvider provideGetJobStatus + */ + public function testGetJobStatus( + string $permission, + int $expectedResponseCode + ): void { + $this->logInWithPermission($permission); + + $response = $this->get('admin/externallinks/start', null, ['Accept' => 'application/json']); + $this->assertEquals($expectedResponseCode, $response->getStatusCode()); + + $response = $this->get('admin/externallinks/getJobStatus', null, ['Accept' => 'application/json']); + $this->assertEquals($expectedResponseCode, $response->getStatusCode()); + } }