Add ability to whitelist edited class for security

Author: wilr

client/js/ManyField.src.js

@@ -12,7 +12,11 @@
         $(elem).find('.manyfield__row').each(function (r, row) {
           if (canRemove) {
             if (!$(row).find('.manyfield__remove').length) {
-              $(row).prepend('<a class="btn btn-sm btn-danger manyfield__remove"><i class="fa fa-times"></i></a>');
+              var href = $(this).data('inline-save').replace('saveRecord', 'deleteRecord');
+
+              href = href + '?ID='+ $(row).find('[name=ID]').val();
+
+              $(row).prepend('<a class="btn btn-sm btn-danger manyfield__remove" href="' + href + '"><i class="fa fa-times"></i></a>');
             }
           } else {
             field.find('.manyfield__remove').remove();

src/ManyField.php

@@ -73,6 +73,11 @@ class ManyField extends CompositeField
      */
     protected $ajaxUrl = false;
 
+    /**
+     * @var string
+     */
+    protected $manyFieldDataClass;
+
     /**
      * Does creating a new row automatically call write to the database?
      *
@@ -366,6 +371,10 @@ public function saveRecord()
         $index = Controller::curr()->getRequest()->requestVar('ID');
         $class = Controller::curr()->getRequest()->requestVar('ClassName');
 
+        if (!$class) {
+            $class = $this->manyFieldDataClass;
+        }
+
         if (!$class && $this->value) {
             $class = $this->value->dataClass();
         }
@@ -374,6 +383,10 @@ public function saveRecord()
             throw new Exception('saveRecord() must be passed an ID and ClassName');
         }
 
+        if ($this->manyFieldDataClass && $class !== $this->manyFieldDataClass) {
+            throw new Exception('Invalid ClassName passed');
+        }
+
         $record = $class::get()->byId($index);
 
         if (!$record || !$record->canEdit()) {
@@ -405,14 +418,22 @@ public function recordForm()
         $index = Controller::curr()->getRequest()->getVar('RecordID');
         $class = Controller::curr()->getRequest()->getVar('ClassName');
 
+        if (!$class) {
+            $class = $this->manyFieldDataClass;
+        }
+
         if (!$index || !$class) {
             throw new Exception('recordForm() must be passed an RecordID and ClassName');
         }
 
+        if ($this->manyFieldDataClass && $class !== $this->manyFieldDataClass) {
+            throw new Exception('Invalid ClassName passed');
+        }
+
         $record = $class::get()->byId($index);
 
         if (!$record || !$record->canEdit()) {
-            return Controller::curr()->httpError(400);
+            return Controller::curr()->httpError(404);
         }
 
         $response = new HTTPResponse();
@@ -439,10 +460,18 @@ public function deleteRecord()
         $index = Controller::curr()->getRequest()->getVar('ID');
         $class = Controller::curr()->getRequest()->getVar('ClassName');
 
+        if (!$class) {
+            $class = $this->manyFieldDataClass;
+        }
+
         if (!$index || !$class) {
             throw new Exception('deleteRecord() must be passed an ID and ClassName');
         }
 
+        if ($this->manyFieldDataClass && $class !== $this->manyFieldDataClass) {
+            throw new Exception('Invalid ClassName passed');
+        }
+
         $record = $class::get()->byId($index);
 
         if (!$record || !$record->canDelete()) {
@@ -454,6 +483,18 @@ public function deleteRecord()
         return $this->forTemplate();
     }
 
+    /**
+     * @param string
+     *
+     * @return self
+     */
+    public function setDataClass($class)
+    {
+        $this->manyFieldDataClass = $class;
+
+        return $this;
+    }
+
     /**
      * Add URL
      *
@@ -634,8 +675,6 @@ public function updateRelation(DataObjectInterface $record, $delete = true)
         }
 
         $existing = $record->{$this->name}();
-        $removed = [];
-
         // if no value then we should clear everything out
         if (!$this->value && $this->canRemove) {
             if ($delete) {

templates/FullscreenInteractive/ManyField/ManyFieldCompositeField_holder.ss

@@ -0,0 +1,7 @@
+<$Tag $AttributesHTML>
+	<% if $Tag == 'fieldset' && $Legend %>
+		<legend>$Legend</legend>
+	<% end_if %>
+
+	$Field
+</$Tag>