Fix to a critical vulnerability for the login authentication mechanism

- The API key check was incorrectly logging in the wrong user when the API key started with a numeric value

app/Controller/AppController.php

@@ -382,7 +382,7 @@ class AppController extends Controller {
 	public function checkAuthUser($authkey) {
 		$this->loadModel('User');
 		$this->User->recursive = -1;
-		$user = $this->User->getAuthUser($authkey);
+		$user = $this->User->getAuthUserByUuid($authkey);
 		if (empty($user)) return false;
 		if ($user['Role']['perm_site_admin']) $user['siteadmin'] = true;
 		return $user;

app/Model/User.php

@@ -433,7 +433,21 @@ class User extends AppModel {
 	
 	// get the current user and rearrange it to be in the same format as in the auth component
 	public function getAuthUser($id) {
-		$user = $this->find('first', array('conditions' => array('OR' => array('User.id' => $id, 'User.authkey' => $id)), 'recursive' => -1,'contain' => array('Organisation', 'Role', 'Server')));
+		$conditions = array('User.id' => $id);
+		$user = $this->find('first', array('conditions' => $conditions, 'recursive' => -1,'contain' => array('Organisation', 'Role', 'Server')));
+		if (empty($user)) return $user;
+		// Rearrange it a bit to match the Auth object created during the login
+		$user['User']['Role'] = $user['Role'];
+		$user['User']['Organisation'] = $user['Organisation'];
+		$user['User']['Server'] = $user['Server'];
+		unset($user['Organisation'], $user['Role'], $user['Server']);
+		return $user['User'];
+	}
+	
+	// get the current user and rearrange it to be in the same format as in the auth component
+	public function getAuthUserByUuid($id) {
+		$conditions = array('User.authkey' => $id);
+		$user = $this->find('first', array('conditions' => $conditions, 'recursive' => -1,'contain' => array('Organisation', 'Role', 'Server')));
 		if (empty($user)) return $user;
 		// Rearrange it a bit to match the Auth object created during the login
 		$user['User']['Role'] = $user['Role'];