mirror of https://github.com/MISP/MISP
fix: [user:resetauthkey] Method can only be accessed via POST request
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)pull/5687/head
parent
43a0757fb3
commit
de80d340cf
|
@ -1235,6 +1235,9 @@ class UsersController extends AppController
|
|||
if (!$this->_isAdmin() && Configure::read('MISP.disableUserSelfManagement')) {
|
||||
throw new MethodNotAllowedException('User self-management has been disabled on this instance.');
|
||||
}
|
||||
if (!$this->request->is('post') || !$this->request->is('put')) {
|
||||
throw new MethodNotAllowedException(__('This functionality is only accessible via POST requests.'));
|
||||
}
|
||||
if ($id == 'me') {
|
||||
$id = $this->Auth->user('id');
|
||||
}
|
||||
|
|
|
@ -34,7 +34,7 @@ $buttonModifyStatus = $mayModify ? 'button_on':'button_off';
|
|||
h($user['User']['authkey']),
|
||||
sprintf(
|
||||
' (%s)',
|
||||
$this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id']))
|
||||
$this->Form->postLink(__('reset'), array('action' => 'resetauthkey', $user['User']['id']))
|
||||
)
|
||||
);
|
||||
$table_data[] = array(
|
||||
|
|
|
@ -17,7 +17,8 @@
|
|||
(Configure::read('MISP.disableUserSelfManagement') && !$isAdmin) ? '' :
|
||||
sprintf(
|
||||
' (%s)',
|
||||
$this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id']))
|
||||
$this->Form->postLink(__('reset'), array('action' => 'resetauthkey', $user['User']['id']))
|
||||
|
||||
)
|
||||
);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue