MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: Fixes an invalid check allowing user profile modifications to target different users within the org 

- User edit had an incorrect check that allowed a normal user edit on a different account within the same org
- Also removed the deprectated option for this function to be used by org/site admins to be used as an alternative to the admin edit

- as reported by: Vytautas Paulikas and Robert Giruckas from SEC Consult.
pull/1630/merge
Iglocska 2016-11-02 11:32:00 +01:00
parent d9bac88c73
commit fbfa8ac450
3 changed files with 7 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
app/Controller/UsersController.php
View File

@ -64,16 +64,12 @@ class UsersController extends AppController {
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'Something went wrong, please try again later.')),'status'=>200));
}
public function edit($id = null) {
public function edit() {
if (!$this->_isAdmin() && Configure::read('MISP.disableUserSelfManagement')) throw new MethodNotAllowedException('User self-management has been disabled on this instance.');
$me = false;
if ("me" == $id) {
$id = $this->Auth->user('id');
$me = true;
}
$id = $this->Auth->user('id');
$this->User->read(null, $id);
if (!$this->User->exists() && !$me && !$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org_id') == $this->User->data['User']['org_id'])) {
throw new NotFoundException(__('Invalid user or not authorised.'));
if (!$this->User->exists()) {
throw new NotFoundException('Something went wrong. Your user account could not be accessed.');
}
if ($this->request->is('post') || $this->request->is('put')) {
// What fields should be saved (allowed to be saved)
@ -89,11 +85,6 @@ class UsersController extends AppController {
$this->Session->setFlash(__('The profile could not be updated. Please, try again.'));
}
} else {
$this->User->recursive = 0;
$this->User->read(null, $id);
if (!$this->User->exists() || (!$this->_isSiteAdmin() && $this->Auth->user('org_id') != $this->User->data['User']['org_id'])) {
throw new NotFoundException(__('Invalid user or not authorised.'));
}
$this->User->set('password', '');
$this->request->data = $this->User->data;
}
@ -682,7 +673,7 @@ class UsersController extends AppController {
}
$user = $this->User->read();
$oldKey = $this->User->data['User']['authkey'];
if ($id != 'me' && !$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org_id') == $this->User->data['User']['org_id']) && ($this->Auth->user('id') != $id)) {
if (!$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org_id') == $this->User->data['User']['org_id']) && ($this->Auth->user('id') != $id)) {
throw new MethodNotAllowedException();
}
$newkey = $this->User->generateAuthKey();

2
app/View/Elements/side_menu.ctp
View File

@ -132,7 +132,7 @@
case 'globalActions':
if (((Configure::read('MISP.disableUserSelfManagement') && $isAdmin) || !Configure::read('MISP.disableUserSelfManagement')) && ($menuItem === 'edit' || $menuItem === 'view')): ?>
<li id='liedit'><?php echo $this->Html->link(__('Edit User', true), array('action' => 'edit', $user['User']['id'])); ?></li>
<li id='liedit'><?php echo $this->Html->link(__('Edit My Profile', true), array('action' => 'edit')); ?></li>
<li class="divider"></li>
<?php elseif (Configure::read('Plugin.CustomAuth_custom_password_reset')): ?>
<li id='lipwreset'><a href="<?php echo h(Configure::read('Plugin.CustomAuth_custom_password_reset'));?>">Reset Password</a></li>

2
app/View/Users/edit.ctp
View File

@ -1,7 +1,7 @@
<div class="users form">
<?php echo $this->Form->create('User', array('novalidate' => true));?>
<fieldset>
<legend><?php echo __('Edit User'); ?></legend>
<legend><?php echo __('Edit My Profile'); ?></legend>
<?php
echo $this->Form->input('email');
echo $this->Form->input('password');