cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] fixed ACL for the user view endpoint 

- arbitrary resource access fixed

- As reported by Matúš Mikuláš, Adam Gajdošík, Milan Pikula of SK-CERT
develop-unstable
iglocska 2022-12-14 10:11:57 +01:00
parent a87208e8fb
commit 5edf477c2f
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Controller/UsersController.php
View File

@ -7,6 +7,7 @@ use Cake\Http\Exception\UnauthorizedException;
use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Core\Configure;
use Cake\Utility\Security;
use Cake\Http\Exception\NotFoundException;
class UsersController extends AppController
{
@ -157,7 +158,10 @@ class UsersController extends AppController
}
$this->CRUD->view($id, [
'contain' => ['Individuals' => ['Alignments' => 'Organisations'], 'Roles', 'Organisations'],
'afterFind' => function($data) use ($keycloakUsersParsed) {
'afterFind' => function($data) use ($keycloakUsersParsed, $currentUser) {
if (empty($currentUser['role']['perm_admin']) && $currentUser['organisation_id'] != $data['organisation_id']) {
throw new NotFoundException(__('Invalid User.'));
}
$data = $this->fetchTable('PermissionLimitations')->attachLimitations($data);
if (!empty(Configure::read('keycloak.enabled'))) {
$keycloakUser = $keycloakUsersParsed[$data->username] ?? [];