mirror of https://github.com/MISP/MISP
Security for UsersController
org admins could edit users of other orgs by accessing the edit page through the URL. Fixed.pull/63/head
parent
97f56a2275
commit
66b9969d29
|
@ -144,6 +144,7 @@ class UsersController extends AppController {
|
|||
if (!$this->User->exists()) {
|
||||
throw new NotFoundException(__('Invalid user'));
|
||||
}
|
||||
//if ($this->Auth->User('org') != 'ADMIN' && $this->Auth->User('org') != $this->User->data['User']['org']) $this->redirect(array('controller' => 'users', 'action' => 'index', 'admin' => true));
|
||||
//Replaced by isAuthorized
|
||||
//// Only own profile
|
||||
//if ($this->Auth->user('id') != $id) {
|
||||
|
@ -294,6 +295,7 @@ class UsersController extends AppController {
|
|||
} else {
|
||||
$this->User->recursive = 0;
|
||||
$this->User->read(null, $id);
|
||||
if ($this->Auth->User('org') != 'ADMIN' && $this->Auth->User('org') != $this->User->data['User']['org']) $this->redirect(array('controller' => 'users', 'action' => 'index', 'admin' => true));
|
||||
$this->User->set('password', '');
|
||||
$this->request->data = Sanitize::clean($this->User->data, array('escape' => false)); // TODO CHECK
|
||||
|
||||
|
|
Loading…
Reference in New Issue