EZP-28862: Require an explicit permission for the System Info route

ezsystems · Mar 27, 2018 · e836825 · e836825
1 parent 1101d28
commit e836825
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/bundle/Controller/SystemInfoController.php b/src/bundle/Controller/SystemInfoController.php
@@ -6,6 +6,7 @@
  */
 namespace EzSystems\EzPlatformAdminUiBundle\Controller;
 
+use eZ\Publish\Core\MVC\Symfony\Security\Authorization\Attribute;
 use EzSystems\EzSupportToolsBundle\SystemInfo\SystemInfoCollectorRegistry;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -22,6 +23,12 @@ public function __construct(SystemInfoCollectorRegistry $collectorRegistry)
         $this->collectorRegistry = $collectorRegistry;
     }
 
+    public function performAccessCheck()
+    {
+        parent::performAccessCheck();
+        $this->denyAccessUnlessGranted(new Attribute('setup', 'system_info'));
+    }
+
     /**
      * Renders the system information page.
      *