silverstripe/silverstripe-blog

Blog Post canEdit method allows some members to edit posts for which they are not an editor/author.

GuySartorelli opened this issue · 3 comments

In BlogPost.php, the canEdit method immediately returns true if its parent's canEdit method returns true.

if (parent::canEdit($member)) {
    return true;
}

This happens before any of BlogPost's bespoke checks (e.g. checking $parent->isEditor, $this->isAuthor, etc) which ultimately results in some members being able to edit any blog post even if they're not an author for that post (depending on the permissions checks up the line).

It also means that if the parent says a member should not be able to edit the page, if someone else has listed them as an author they may be able to edit the post anyway.

My assumption is that this is intended to be

if (!parent::canEdit($member)) {
    return false;
}

which would match what happens in canView and means that if permissions up the line fail then this also fails, but if they pass then we still have to check the requirements for this class itself.

Hi, thanks for reporting this. Feel free to write up a pull request if you have time.

Thanks! I've linked a pull request.