cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] Sharing group ACL fixes 

- added indirect object reference protection
- added correct ACL functionalities to delete, addOrg, removeOrg

- as reported by Dawid Czarnecki from Zigrin Security
pull/92/head
iglocska 2022-02-04 00:16:24 +01:00
parent 4a7183d63b
commit 15190b930e
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
2 changed files with 48 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Controller/Component/CRUDComponent.php
View File

@ -420,10 +420,16 @@ class CRUDComponent extends Component
}
$data = $this->Table->get($id, $params);
if (empty($data)) {
throw new NotFoundException(__('Invalid {0}.', $this->ObjectAlias));
}
$data = $this->attachMetaData($id, $data);
if (isset($params['afterFind'])) {
$data = $params['afterFind']($data);
}
if (empty($data)) {
throw new NotFoundException(__('Invalid {0}.', $this->ObjectAlias));
}
if ($this->Controller->ParamHandler->isRest()) {
$this->Controller->restResponsePayload = $this->RestResponse->viewData($data, 'json');
}

44
src/Controller/SharingGroupsController.php
View File

@ -7,6 +7,7 @@ use Cake\Utility\Hash;
use Cake\Utility\Text;
use \Cake\Database\Expression\QueryExpression;
use Cake\Error\Debugger;
use Cake\Http\Exception\NotFoundException;
class SharingGroupsController extends AppController
{
@ -54,8 +55,25 @@ class SharingGroupsController extends AppController
public function view($id)
{
$currentUser = $this->ACL->getUser();
$this->CRUD->view($id, [
'contain' => ['SharingGroupOrgs', 'Organisations', 'Users' => ['fields' => ['id', 'username']]]
'contain' => ['SharingGroupOrgs', 'Organisations', 'Users' => ['fields' => ['id', 'username']]],
'afterFind' => function($data) use ($currentUser) {
if (empty($currentUser['role']['perm_admin'])) {
$orgFround = false;
if (!empty($data['sharing_group_orgs'])) {
foreach ($data['sharing_group_orgs'] as $org) {
if ($org['id'] === $currentUser['organisation_id']) {
$orgFound = true;
}
}
}
if ($data['organisation_id'] !== $currentUser['organisation_id'] && !$orgFround) {
return null;
}
}
return $data;
}
]);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
@ -87,7 +105,11 @@ class SharingGroupsController extends AppController
public function delete($id)
{
$this->CRUD->delete($id);
$currentUser = $this->ACL->getUser();
if (empty($currentUser['role']['perm_admin'])) {
$params['conditions'] = ['organisation_id' => $currentUser['organisation_id']];
}
$this->CRUD->delete($id, $params);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
return $responsePayload;
@ -97,9 +119,18 @@ class SharingGroupsController extends AppController
public function addOrg($id)
{
$currentUser = $this->ACL->getUser();
$sharingGroup = $this->SharingGroups->get($id, [
'contain' => 'SharingGroupOrgs'
]);
if (empty($currentUser['role']['perm_admin'])) {
if ($sharingGroup['organisation_id'] !== $currentUser['organisation_id']) {
$sharingGroup = null;
}
}
if (empty($sharingGroup)) {
throw new NotFoundException(__('Invalid SharingGroup.'));
}
$conditions = [];
$containedOrgIds = array_values(\Cake\Utility\Hash::extract($sharingGroup, 'sharing_group_orgs.{n}.id'));
if (!empty($containedOrgIds)) {
@ -156,9 +187,18 @@ class SharingGroupsController extends AppController
public function removeOrg($id, $org_id)
{
$currentUser = $this->ACL->getUser();
$sharingGroup = $this->SharingGroups->get($id, [
'contain' => 'SharingGroupOrgs'
]);
if (empty($currentUser['role']['perm_admin'])) {
if ($sharingGroup['organisation_id'] !== $currentUser['organisation_id']) {
$sharingGroup = null;
}
}
if (empty($sharingGroup)) {
throw new NotFoundException(__('Invalid SharingGroup.'));
}
if ($this->request->is('post')) {
$org = $this->SharingGroups->SharingGroupOrgs->get($org_id);
$result = (bool)$this->SharingGroups->SharingGroupOrgs->unlink($sharingGroup, [$org]);