mirror of https://github.com/MISP/MISP
fix: Fixes an invalid check allowing user profile modifications to target different users within the org
- User edit had an incorrect check that allowed a normal user edit on a different account within the same org - Also removed the deprectated option for this function to be used by org/site admins to be used as an alternative to the admin edit - as reported by: Vytautas Paulikas and Robert Giruckas from SEC Consult.pull/1630/merge
parent
d9bac88c73
commit
fbfa8ac450
|
@ -64,16 +64,12 @@ class UsersController extends AppController {
|
|||
return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'Something went wrong, please try again later.')),'status'=>200));
|
||||
}
|
||||
|
||||
public function edit($id = null) {
|
||||
public function edit() {
|
||||
if (!$this->_isAdmin() && Configure::read('MISP.disableUserSelfManagement')) throw new MethodNotAllowedException('User self-management has been disabled on this instance.');
|
||||
$me = false;
|
||||
if ("me" == $id) {
|
||||
$id = $this->Auth->user('id');
|
||||
$me = true;
|
||||
}
|
||||
$id = $this->Auth->user('id');
|
||||
$this->User->read(null, $id);
|
||||
if (!$this->User->exists() && !$me && !$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org_id') == $this->User->data['User']['org_id'])) {
|
||||
throw new NotFoundException(__('Invalid user or not authorised.'));
|
||||
if (!$this->User->exists()) {
|
||||
throw new NotFoundException('Something went wrong. Your user account could not be accessed.');
|
||||
}
|
||||
if ($this->request->is('post') || $this->request->is('put')) {
|
||||
// What fields should be saved (allowed to be saved)
|
||||
|
@ -89,11 +85,6 @@ class UsersController extends AppController {
|
|||
$this->Session->setFlash(__('The profile could not be updated. Please, try again.'));
|
||||
}
|
||||
} else {
|
||||
$this->User->recursive = 0;
|
||||
$this->User->read(null, $id);
|
||||
if (!$this->User->exists() || (!$this->_isSiteAdmin() && $this->Auth->user('org_id') != $this->User->data['User']['org_id'])) {
|
||||
throw new NotFoundException(__('Invalid user or not authorised.'));
|
||||
}
|
||||
$this->User->set('password', '');
|
||||
$this->request->data = $this->User->data;
|
||||
}
|
||||
|
@ -682,7 +673,7 @@ class UsersController extends AppController {
|
|||
}
|
||||
$user = $this->User->read();
|
||||
$oldKey = $this->User->data['User']['authkey'];
|
||||
if ($id != 'me' && !$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org_id') == $this->User->data['User']['org_id']) && ($this->Auth->user('id') != $id)) {
|
||||
if (!$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org_id') == $this->User->data['User']['org_id']) && ($this->Auth->user('id') != $id)) {
|
||||
throw new MethodNotAllowedException();
|
||||
}
|
||||
$newkey = $this->User->generateAuthKey();
|
||||
|
|
|
@ -132,7 +132,7 @@
|
|||
|
||||
case 'globalActions':
|
||||
if (((Configure::read('MISP.disableUserSelfManagement') && $isAdmin) || !Configure::read('MISP.disableUserSelfManagement')) && ($menuItem === 'edit' || $menuItem === 'view')): ?>
|
||||
<li id='liedit'><?php echo $this->Html->link(__('Edit User', true), array('action' => 'edit', $user['User']['id'])); ?></li>
|
||||
<li id='liedit'><?php echo $this->Html->link(__('Edit My Profile', true), array('action' => 'edit')); ?></li>
|
||||
<li class="divider"></li>
|
||||
<?php elseif (Configure::read('Plugin.CustomAuth_custom_password_reset')): ?>
|
||||
<li id='lipwreset'><a href="<?php echo h(Configure::read('Plugin.CustomAuth_custom_password_reset'));?>">Reset Password</a></li>
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<div class="users form">
|
||||
<?php echo $this->Form->create('User', array('novalidate' => true));?>
|
||||
<fieldset>
|
||||
<legend><?php echo __('Edit User'); ?></legend>
|
||||
<legend><?php echo __('Edit My Profile'); ?></legend>
|
||||
<?php
|
||||
echo $this->Form->input('email');
|
||||
echo $this->Form->input('password');
|
||||
|
|
Loading…
Reference in New Issue