diff --git a/en/02_Developer_Guides/11_Integration/00_CSV_Import.md b/en/02_Developer_Guides/11_Integration/00_CSV_Import.md index 3f3804348..45b0d5ca6 100644 --- a/en/02_Developer_Guides/11_Integration/00_CSV_Import.md +++ b/en/02_Developer_Guides/11_Integration/00_CSV_Import.md @@ -52,9 +52,13 @@ $result = $loader->load(''); By the way, you can import [Member](api:SilverStripe\Security\Member) and [Group](api:SilverStripe\Security\Group) data through `https://www.example.com/admin/security` interface out of the box. +### Permission checks + +`CsvBulkLoader` does *not* respect permissions by default. If you want the permissions of the current user to be respected (i.e. if the bulk loader is being used as part of user interaction), you will need to pass `true` to the [`CsvBulkLoader::setCheckPermissions()`](api:SilverStripe\Dev\CsvBulkLoader::setCheckPermissions()) method. + ## Import through `ModelAdmin` -The simplest way to use [CsvBulkLoader](api:SilverStripe\Dev\CsvBulkLoader) is through a [ModelAdmin](api:SilverStripe\Admin\ModelAdmin) interface - you get an upload form out of the box. +The simplest way to use [CsvBulkLoader](api:SilverStripe\Dev\CsvBulkLoader) is through a [ModelAdmin](api:SilverStripe\Admin\ModelAdmin) interface - you get a secured upload form out of the box. ```php namespace App\Admin; @@ -87,6 +91,10 @@ Let's create a simple upload form (which is used for `MyDataObject` instances). You'll need to add a route to your controller to make it accessible via URL (see [Routing](../../controllers/routing/)). +[warning] +Don't forget to perform [permission checks](#permission-checks) if the data is provided by users. +[/warning] + ```php namespace App\Control; @@ -151,9 +159,6 @@ class MyController extends Controller } ``` -Note: This interface is not secured, consider using [Permission::check()](api:SilverStripe\Security\Permission::check()) to limit the controller to users -with certain access rights. - ## Column mapping and relation import We're going to use our knowledge from the previous example to import a more sophisticated CSV file. diff --git a/en/02_Developer_Guides/11_Integration/How_Tos/Import_CSV_through_a_Controller.md b/en/02_Developer_Guides/11_Integration/How_Tos/Import_CSV_through_a_Controller.md index d4cc1511a..64e6a740b 100644 --- a/en/02_Developer_Guides/11_Integration/How_Tos/Import_CSV_through_a_Controller.md +++ b/en/02_Developer_Guides/11_Integration/How_Tos/Import_CSV_through_a_Controller.md @@ -82,6 +82,5 @@ class MyController extends Controller ``` [alert] -This interface is not secured, consider using [Permission::check()](api:SilverStripe\Security\Permission::check()) to limit the controller to users with certain -access rights. +If the file you're loading data from is uploaded by a user, you should pass `true` to the [`CsvBulkLoader::setCheckPermissions()`](api:SilverStripe\Dev\CsvBulkLoader::setCheckPermissions()) method. Otherwise, permissions will not be respected and the user may alter data in ways they would otherwise not be permitted to. [/alert] diff --git a/en/04_Changelogs/5.2.0.md b/en/04_Changelogs/5.2.0.md index fddb9a83a..8bbb95b38 100644 --- a/en/04_Changelogs/5.2.0.md +++ b/en/04_Changelogs/5.2.0.md @@ -6,6 +6,7 @@ title: 5.2.0 (unreleased) ## Overview +- [Security considerations](#security-considerations) - [Features and enhancements](#features-and-enhancements) - [New ORM features](#new-orm-features) - [GridField components now work with arbitrary data](#gridfield-arbitrary-data) @@ -19,6 +20,17 @@ title: 5.2.0 (unreleased) - [API changes](#api-changes) - [Bug fixes](#bug-fixes) +## Security considerations {#security-considerations} + +This release includes several security fixes. Review the individual vulnerability disclosure for more detailed descriptions of each security fix. We highly encourage upgrading your project to include the latest security patches. + +We have provided a severity rating of the vulnerabilities below based on the CVSS score. Note that the impact of each vulnerability could vary based on the specifics of each project. You can [read the severity rating definitions in the Silverstripe CMS release process](/contributing/release_process/#severity-rating). + +- [CVE-2023-49783 - No permission checks for editing or deleting records with CSV import form](https://www.silverstripe.org/download/security-releases/cve-2023-49783) Severity: Medium + - If you implement a custom subclass of [`BulkLoader`](api:SilverStripe\Dev\BulkLoader) or you're using a `BulkLoader` directly in your code, there may be additional actions you need to take to secure your project. +- [CVE-2023-48714 - Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter](https://www.silverstripe.org/download/security-releases/cve-2023-48714) Severity: Medium +- [CVE-2023-44401 - View permissions are bypassed for paginated lists of ORM data in GraphQL queries](https://www.silverstripe.org/download/security-releases/cve-2023-44401) Severity: Medium + ## Features and enhancements ### New ORM features {#new-orm-features}