fix: [security] Org admins cannot delete site admin accounts see #9121

2023-06-04 07:01:29 +02:00 · 2023-06-04 07:01:29 +02:00 · b2bb4f817b
parent e0bc2d57e5
commit b2bb4f817b
2 changed files with 7 additions and 7 deletions
--- a/app/Controller/Component/ACLComponent.php
+++ b/app/Controller/Component/ACLComponent.php
@ -748,7 +748,7 @@ class ACLComponent extends Component
                'otp' => array('*'),
                'hotp' => array('*'),
                'totp_new' => array('*'),
-                'totp_delete' => array('perm_site_admin'),
+                'totp_delete' => array('perm_admin'),
                'searchGpgKey' => array('*'),
                'fetchGpgKey' => array('*'),
                'histogram' => array('*'),
--- a/app/Controller/UsersController.php
+++ b/app/Controller/UsersController.php
@ -572,7 +572,7 @@ class UsersController extends AppController
    {
        $user = $this->User->find('first', array(
            'recursive' => -1,
-            'conditions' => $this->__adminFetchConditions($id),
+            'conditions' => $this->__adminFetchConditions($id, $edit=False),
            'contain' => [
                'UserSetting',
                'Role',
@ -851,9 +851,6 @@ class UsersController extends AppController
            // MISP automatically chooses the first available option for the user as the selected setting (usually user)
            // Org admin is downgraded to a user
            // Now we make an exception for the already assigned role, both in the form and the actual edit.
-            if (!empty($userToEdit['Role']['perm_site_admin'])) {
-                throw new NotFoundException(__('Invalid user'));
-            }
            $allowedRole = $userToEdit['User']['role_id'];
            $params = array('conditions' => array(
                    'OR' => array(
@ -1562,7 +1559,7 @@ class UsersController extends AppController
    public function admin_quickEmail($user_id)
    {
        $user = $this->User->find('first', array(
-            'conditions' => $this->__adminFetchConditions($user_id),
+            'conditions' => $this->__adminFetchConditions($user_id, $edit=False),
            'recursive' => -1
        ));
        $error = false;
@ -3004,7 +3001,7 @@ class UsersController extends AppController
     * @return array
     * @throws NotFoundException
     */
-    private function __adminFetchConditions($id)
+    private function __adminFetchConditions($id, $edit = True)
    {
        if (empty($id)) {
            throw new NotFoundException(__('Invalid user'));
@ -3014,6 +3011,9 @@ class UsersController extends AppController
        $user = $this->Auth->user();
        if (!$user['Role']['perm_site_admin']) {
            $conditions['User.org_id'] = $user['org_id']; // org admin
+            if ($edit) {
+                $conditions['Role.perm_site_admin'] = False;
+            }
        }
        return $conditions;
    }