fix: [security] user settings allow enumeration of usernames
- as reported by Dawid Czarnecki from Zigrin Securitypull/92/head
parent
a263234917
commit
88f3cc7944
|
@ -36,9 +36,16 @@ class UserSettingsController extends AppController
|
||||||
return $responsePayload;
|
return $responsePayload;
|
||||||
}
|
}
|
||||||
if (!empty($this->request->getQuery('Users_id'))) {
|
if (!empty($this->request->getQuery('Users_id'))) {
|
||||||
$settingsForUser = $this->UserSettings->Users->find()->where([
|
$conditions = [
|
||||||
'id' => $this->request->getQuery('Users_id')
|
'id' => $this->request->getQuery('Users_id')
|
||||||
])->first();
|
];
|
||||||
|
if (empty($currentUser['role']['perm_admin'])) {
|
||||||
|
$conditions['organisation_id'] = $currentUser['organisation_id'];
|
||||||
|
}
|
||||||
|
$settingsForUser = $this->UserSettings->Users->find()->where($conditions)->first();
|
||||||
|
if (empty($settingsForUser)) {
|
||||||
|
throw new NotFoundException(__('Invalid {0}.', __('user')));
|
||||||
|
}
|
||||||
$this->set('settingsForUser', $settingsForUser);
|
$this->set('settingsForUser', $settingsForUser);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue