BUG: Fix access to documents on the staging site.

[ajshort]

The DMS document controller had been changed to subclass ContentController to correctly initialise the versioned stage. However, this had the side effect of preventing access to documents when the "Stage" stage was selected.

ContentController::init() calls the SiteTree::canViewStage() method, which controls access when on the stage. However, since the data record was non-existant, the method would always return false, preventing access to documents.

This fix removes the subclassing of ContentController and just directly initialises the versioned stage.

[ss23]

It looks like that Versioned call doesn't have any protection stopping random users from setting the stage? It will at least allow users to access draft DMS documents, and possibly worse depending on where else the stage is read in the request.

I'm not sure what the right fix is because I haven't looked into it, but I don't think this is it.

[ajshort]

Good point. A better fix would be to fix ContentController::init() for draft sites without a data record - I will do that instead.

[hafriedlander]

I'd just copy https://github.com/silverstripe/silverstripe-restfulserver/commit/af652463f17d3c04a069ba971b04a436a8af585c for now - proper fix is for Versioned to have a way to hook into startup nicely, but that's likely to need a 3.2-level core change.

[ajshort]

@hafriedlander That fix is effectively the same as the one in this pull request, just with one less layer of abstraction.

[ajshort]

@ss23

After talking with @hafriedlander, I thnk it is actually secure - the DMS controller calls SiteTree::canView(), which does a check to make sure the user can view draft content.

[ss23]

Cool, as long as everyone is happy with it.