MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Security for UsersController 

org admins could edit users of other orgs by accessing the edit page
through the URL. Fixed.
pull/63/head
Andras Iklody 2013-01-29 10:51:18 +01:00
parent 97f56a2275
commit 66b9969d29
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Controller/UsersController.php
View File

@ -144,6 +144,7 @@ class UsersController extends AppController {
if (!$this->User->exists()) {
throw new NotFoundException(__('Invalid user'));
}
//if ($this->Auth->User('org') != 'ADMIN' && $this->Auth->User('org') != $this->User->data['User']['org']) $this->redirect(array('controller' => 'users', 'action' => 'index', 'admin' => true));
//Replaced by isAuthorized
//// Only own profile
//if ($this->Auth->user('id') != $id) {
@ -294,6 +295,7 @@ class UsersController extends AppController {
} else {
$this->User->recursive = 0;
$this->User->read(null, $id);
if ($this->Auth->User('org') != 'ADMIN' && $this->Auth->User('org') != $this->User->data['User']['org']) $this->redirect(array('controller' => 'users', 'action' => 'index', 'admin' => true));
$this->User->set('password', '');
$this->request->data = Sanitize::clean($this->User->data, array('escape' => false)); // TODO CHECK