fix: [security] user settings allow enumeration of usernames

- as reported by Dawid Czarnecki from Zigrin Security
pull/92/head
iglocska 2022-02-04 00:45:42 +01:00
parent a263234917
commit 88f3cc7944
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 10 additions and 3 deletions

View File

@ -36,9 +36,16 @@ class UserSettingsController extends AppController
return $responsePayload; return $responsePayload;
} }
if (!empty($this->request->getQuery('Users_id'))) { if (!empty($this->request->getQuery('Users_id'))) {
$settingsForUser = $this->UserSettings->Users->find()->where([ $conditions = [
'id' => $this->request->getQuery('Users_id') 'id' => $this->request->getQuery('Users_id')
])->first(); ];
if (empty($currentUser['role']['perm_admin'])) {
$conditions['organisation_id'] = $currentUser['organisation_id'];
}
$settingsForUser = $this->UserSettings->Users->find()->where($conditions)->first();
if (empty($settingsForUser)) {
throw new NotFoundException(__('Invalid {0}.', __('user')));
}
$this->set('settingsForUser', $settingsForUser); $this->set('settingsForUser', $settingsForUser);
} }
} }
@ -233,7 +240,7 @@ class UserSettingsController extends AppController
} }
/** /**
* isLoggedUserAllowedToEdit * isLoggedUserAllowedToEdit
* *
* @param int|\App\Model\Entity\UserSetting $setting * @param int|\App\Model\Entity\UserSetting $setting
* @return boolean * @return boolean