From 88f3cc794486276a1f7e7331adb8ecb2dabd672f Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Fri, 4 Feb 2022 00:45:42 +0100
Subject: [PATCH] fix: [security] user settings allow enumeration of usernames

- as reported by Dawid Czarnecki from Zigrin Security
---
 src/Controller/UserSettingsController.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Controller/UserSettingsController.php b/src/Controller/UserSettingsController.php
index 02affce..7f9690a 100644
--- a/src/Controller/UserSettingsController.php
+++ b/src/Controller/UserSettingsController.php
@@ -36,9 +36,16 @@ class UserSettingsController extends AppController
             return $responsePayload;
         }
         if (!empty($this->request->getQuery('Users_id'))) {
-            $settingsForUser = $this->UserSettings->Users->find()->where([
+            $conditions = [
                 'id' => $this->request->getQuery('Users_id')
-            ])->first();
+            ];
+            if (empty($currentUser['role']['perm_admin'])) {
+                $conditions['organisation_id'] = $currentUser['organisation_id'];
+            }
+            $settingsForUser = $this->UserSettings->Users->find()->where($conditions)->first();
+            if (empty($settingsForUser)) {
+                throw new NotFoundException(__('Invalid {0}.', __('user')));
+            }
             $this->set('settingsForUser', $settingsForUser);
         }
     }
@@ -233,7 +240,7 @@ class UserSettingsController extends AppController
     }
 
     /**
-     * isLoggedUserAllowedToEdit 
+     * isLoggedUserAllowedToEdit
      *
      * @param int|\App\Model\Entity\UserSetting $setting
      * @return boolean