From 7df03db0879807e07309308141ed3e23f340b28a Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Wed, 28 Jun 2023 10:18:36 +0200 Subject: [PATCH 1/5] Update INSTALL.md some minor fixes --- INSTALL/INSTALL.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/INSTALL/INSTALL.md b/INSTALL/INSTALL.md index 8e18f2c..027bbdf 100644 --- a/INSTALL/INSTALL.md +++ b/INSTALL/INSTALL.md @@ -32,13 +32,13 @@ sudo add-apt-repository ppa:ondrej/php - for apache ```bash -sudo apt install apache2 mariadb-server git php8.2-intl php8.2-mbstring php8.2-dom php8.2-xml unzip php8.2-ldap php8.2-sqlite3 ph8.2p-curl sqlite libapache2-mod-php php8.2-mysql +sudo apt install apache2 mariadb-server git php8.2 php8.2-intl php8.2-mbstring php8.2-dom php8.2-xml unzip php8.2-ldap php8.2-sqlite3 ph8.2-curl sqlite libapache2-mod-php php8.2-mysql ``` - for nginx ```bash -sudo apt install nginx mariadb-server git php8.2-intl php8.2-mbstring php8.2-dom php8.2-xml unzip php8.2-ldap php8.2-sqlite3 ph8.2p-curl sqlite php8.2-mysql +sudo apt install nginx mariadb-server git php8.2 php8.2-intl php8.2-mbstring php8.2-dom php8.2-xml unzip php8.2-ldap php8.2-sqlite3 ph8.2-curl sqlite php8.2-mysql ``` @@ -48,7 +48,6 @@ Install composer: ~~~bash cd php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" -php -r "if (hash_file('sha384', 'composer-setup.php') === '55ce33d7678c5a611085589f1f3ddf8b3c52d662cd01d4ba75c0ee0459970c2200a51f492d557530c71c15d8dba01eae') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" php composer-setup.php php -r "unlink('composer-setup.php');" sudo mv composer.phar /usr/local/bin/composer From a11f935969ec4c3966d63e26c283705daf2ed140 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Wed, 28 Jun 2023 10:21:33 +0200 Subject: [PATCH 2/5] Update INSTALL.md --- INSTALL/INSTALL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/INSTALL/INSTALL.md b/INSTALL/INSTALL.md index 027bbdf..679c660 100644 --- a/INSTALL/INSTALL.md +++ b/INSTALL/INSTALL.md @@ -32,13 +32,13 @@ sudo add-apt-repository ppa:ondrej/php - for apache ```bash -sudo apt install apache2 mariadb-server git php8.2 php8.2-intl php8.2-mbstring php8.2-dom php8.2-xml unzip php8.2-ldap php8.2-sqlite3 ph8.2-curl sqlite libapache2-mod-php php8.2-mysql +sudo apt install apache2 mariadb-server git php8.2 php8.2-intl php8.2-mbstring php8.2-dom php8.2-xml unzip php8.2-ldap php8.2-sqlite3 php8.2-curl sqlite libapache2-mod-php php8.2-mysql ``` - for nginx ```bash -sudo apt install nginx mariadb-server git php8.2 php8.2-intl php8.2-mbstring php8.2-dom php8.2-xml unzip php8.2-ldap php8.2-sqlite3 ph8.2-curl sqlite php8.2-mysql +sudo apt install nginx mariadb-server git php8.2 php8.2-intl php8.2-mbstring php8.2-dom php8.2-xml unzip php8.2-ldap php8.2-sqlite3 php8.2-curl sqlite php8.2-mysql ``` From 82bf3a74c1f75ec2c311a7a0b830b900d09da2bd Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 28 Jun 2023 14:59:31 +0200 Subject: [PATCH 3/5] chg: [internal] fetch first role if no default is set --- src/Controller/UsersController.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index 95db80a..d33490c 100644 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -75,6 +75,9 @@ class UsersController extends AppController $validRoles = $this->Users->Roles->find('list')->order(['name' => 'asc'])->all()->toArray(); } $defaultRole = $this->Users->Roles->find()->select(['id'])->where(['is_default' => true])->first()->toArray(); + if (empty($defaultRole)) { + $defaultRole = $this->Users->Roles->find()->select(['id'])->first()->toArray(); + } $individuals = $this->Users->Individuals->find('list', $individuals_params)->toArray(); $this->CRUD->add([ 'beforeMarshal' => function($data) { From d7bf8af5b16d134b7aaa00270d7cd20ff4eb1b1a Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 28 Jun 2023 15:01:26 +0200 Subject: [PATCH 4/5] fix: [internal] user add fix attempt #2 --- src/Controller/UsersController.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index d33490c..574d344 100644 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -74,10 +74,11 @@ class UsersController extends AppController } else { $validRoles = $this->Users->Roles->find('list')->order(['name' => 'asc'])->all()->toArray(); } - $defaultRole = $this->Users->Roles->find()->select(['id'])->where(['is_default' => true])->first()->toArray(); + $defaultRole = $this->Users->Roles->find()->select(['id'])->where(['is_default' => true])->first(); if (empty($defaultRole)) { - $defaultRole = $this->Users->Roles->find()->select(['id'])->first()->toArray(); + $defaultRole = $this->Users->Roles->find()->select(['id'])->first(); } + $defaultRole = $defaultRole->toArray(); $individuals = $this->Users->Individuals->find('list', $individuals_params)->toArray(); $this->CRUD->add([ 'beforeMarshal' => function($data) { From 8e616180ba0d6a1fcb8326dbe39307960ee1946c Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 23 Aug 2023 15:08:23 +0200 Subject: [PATCH 5/5] fix: [security] user settings editable by arbitrary user fixed - as reported by Infigo on behalf of ENISA --- src/Controller/UserSettingsController.php | 28 +++++++++++++++++------ 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/src/Controller/UserSettingsController.php b/src/Controller/UserSettingsController.php index 7f9690a..6bcd197 100644 --- a/src/Controller/UserSettingsController.php +++ b/src/Controller/UserSettingsController.php @@ -100,21 +100,34 @@ class UserSettingsController extends AppController 'id' => $id ])->first(); - if (!$this->isLoggedUserAllowedToEdit($entity)) { - throw new NotFoundException(__('Invalid {0}.', 'user setting')); + $currentUser = $this->ACL->getUser(); + $validUsers = []; + $individual_ids = []; + if (!$currentUser['role']['perm_admin']) { + if ($currentUser['role']['perm_org_admin']) { + $validUsers = $this->Users->find('list')->select(['id', 'username'])->order(['username' => 'asc'])->where(['organisation_id' => $currentUser['organisation']['id']])->all()->toArray(); + } else { + $validUsers = [$currentUser['id'] => $currentUser['username']]; + } + } else { + $validUsers = $this->Users->find('list')->select(['id', 'username'])->order(['username' => 'asc'])->all()->toArray(); } $entity = $this->CRUD->edit($id, [ - 'redirect' => ['action' => 'index', $entity->user_id] + 'redirect' => ['action' => 'index', $entity->user_id], + 'beforeSave' => function ($data) use ($validUsers) { + if (!in_array($data['user_id'], array_keys($validUsers))) { + throw new MethodNotAllowedException(__('You cannot edit the given user.')); + } + return $data; + } ]); $responsePayload = $this->CRUD->getResponsePayload(); if (!empty($responsePayload)) { return $responsePayload; } $dropdownData = [ - 'user' => $this->UserSettings->Users->find('list', [ - 'sort' => ['username' => 'asc'] - ]), + 'user' => $validUsers, ]; $this->set(compact('dropdownData')); $this->set('user_id', $this->entity->user_id); @@ -259,8 +272,9 @@ class UserSettingsController extends AppController if (empty($setting)) { return false; } + } else { + $isAllowed = $setting->user_id == $currentUser->id; } - $isAllowed = $setting->user_id == $currentUser->id; } return $isAllowed; }