From f819384007a13d5a11e07a5f9d716cc47af33bb5 Mon Sep 17 00:00:00 2001
From: AlexArchiPro <alex.zeng@archipro.co.nz>
Date: Fri, 12 Jun 2026 17:12:04 +1200
Subject: [PATCH] BB-3812 Require ADMIN permission for SecurityAdmin CSV import
 endpoints

ImportForm was reachable by any user with CMS_ACCESS_SecurityAdmin even
though the import button is hidden for non-admins in getGridFieldConfig().
A non-admin could POST a CSV assigning an ADMIN PermissionCode to a group
and escalate privileges.

Gate both the ImportForm endpoint and the import form action behind
Permission::check('ADMIN'), matching the existing UI-level restriction.
---
 code/SecurityAdmin.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/code/SecurityAdmin.php b/code/SecurityAdmin.php
index 8d079b079..4ac1d1db4 100755
--- a/code/SecurityAdmin.php
+++ b/code/SecurityAdmin.php
@@ -3,6 +3,7 @@
 namespace SilverStripe\Admin;
 
 use SilverStripe\CMS\Controllers\CMSMain;
+use SilverStripe\Control\HTTPResponse;
 use SilverStripe\Forms\Form;
 use SilverStripe\Forms\GridField\GridFieldConfig;
 use SilverStripe\Forms\GridField\GridFieldImportButton;
@@ -86,6 +87,10 @@ public function getManagedModels()
      */
     public function ImportForm()
     {
+        // Limit import to admin since the import logic can affect assigned permissions
+        if (!Permission::check('ADMIN')) {
+            return false;
+        }
         $form = parent::ImportForm();
         if (!$form) {
             return $form;
@@ -113,6 +118,15 @@ public function ImportForm()
         return $form;
     }
 
+    public function import(array $data, Form $form): HTTPResponse
+    {
+        // Limit import to admin since the import logic can affect assigned permissions
+        if (!Permission::check('ADMIN')) {
+            $this->httpError(403);
+        }
+        return parent::import($data, $form);
+    }
+
     protected function getGridFieldConfig(): GridFieldConfig
     {
         $config = parent::getGridFieldConfig();