From 66b9969d299167a0dd22b69183c4825ea3db4a5f Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Tue, 29 Jan 2013 10:51:18 +0100 Subject: [PATCH] Security for UsersController org admins could edit users of other orgs by accessing the edit page through the URL. Fixed. --- app/Controller/UsersController.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/Controller/UsersController.php b/app/Controller/UsersController.php index 8300e450e..693c0377c 100755 --- a/app/Controller/UsersController.php +++ b/app/Controller/UsersController.php @@ -144,6 +144,7 @@ class UsersController extends AppController { if (!$this->User->exists()) { throw new NotFoundException(__('Invalid user')); } + //if ($this->Auth->User('org') != 'ADMIN' && $this->Auth->User('org') != $this->User->data['User']['org']) $this->redirect(array('controller' => 'users', 'action' => 'index', 'admin' => true)); //Replaced by isAuthorized //// Only own profile //if ($this->Auth->user('id') != $id) { @@ -294,6 +295,7 @@ class UsersController extends AppController { } else { $this->User->recursive = 0; $this->User->read(null, $id); + if ($this->Auth->User('org') != 'ADMIN' && $this->Auth->User('org') != $this->User->data['User']['org']) $this->redirect(array('controller' => 'users', 'action' => 'index', 'admin' => true)); $this->User->set('password', ''); $this->request->data = Sanitize::clean($this->User->data, array('escape' => false)); // TODO CHECK