fix: [security] fixed ACL for the user view endpoint

- arbitrary resource access fixed

- As reported by Matúš Mikuláš, Adam Gajdošík, Milan Pikula of SK-CERT
develop-unstable
iglocska 2022-12-14 10:11:57 +01:00
parent a87208e8fb
commit 5edf477c2f
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 5 additions and 1 deletions

View File

@ -7,6 +7,7 @@ use Cake\Http\Exception\UnauthorizedException;
use Cake\Http\Exception\MethodNotAllowedException; use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Core\Configure; use Cake\Core\Configure;
use Cake\Utility\Security; use Cake\Utility\Security;
use Cake\Http\Exception\NotFoundException;
class UsersController extends AppController class UsersController extends AppController
{ {
@ -157,7 +158,10 @@ class UsersController extends AppController
} }
$this->CRUD->view($id, [ $this->CRUD->view($id, [
'contain' => ['Individuals' => ['Alignments' => 'Organisations'], 'Roles', 'Organisations'], 'contain' => ['Individuals' => ['Alignments' => 'Organisations'], 'Roles', 'Organisations'],
'afterFind' => function($data) use ($keycloakUsersParsed) { 'afterFind' => function($data) use ($keycloakUsersParsed, $currentUser) {
if (empty($currentUser['role']['perm_admin']) && $currentUser['organisation_id'] != $data['organisation_id']) {
throw new NotFoundException(__('Invalid User.'));
}
$data = $this->fetchTable('PermissionLimitations')->attachLimitations($data); $data = $this->fetchTable('PermissionLimitations')->attachLimitations($data);
if (!empty(Configure::read('keycloak.enabled'))) { if (!empty(Configure::read('keycloak.enabled'))) {
$keycloakUser = $keycloakUsersParsed[$data->username] ?? []; $keycloakUser = $keycloakUsersParsed[$data->username] ?? [];