cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] user settings editable by arbitrary user fixed 

- as reported by Infigo on behalf of ENISA
pull/163/head
iglocska 2023-08-23 15:08:23 +02:00
parent d7bf8af5b1
commit 8e616180ba
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/Controller/UserSettingsController.php
View File

@ -100,21 +100,34 @@ class UserSettingsController extends AppController
'id' => $id 'id' => $id
])->first(); ])->first();
if (!$this->isLoggedUserAllowedToEdit($entity)) { $currentUser = $this->ACL->getUser();
throw new NotFoundException(__('Invalid {0}.', 'user setting')); $validUsers = [];
$individual_ids = [];
if (!$currentUser['role']['perm_admin']) {
if ($currentUser['role']['perm_org_admin']) {
$validUsers = $this->Users->find('list')->select(['id', 'username'])->order(['username' => 'asc'])->where(['organisation_id' => $currentUser['organisation']['id']])->all()->toArray();
} else {
$validUsers = [$currentUser['id'] => $currentUser['username']];
}
} else {
$validUsers = $this->Users->find('list')->select(['id', 'username'])->order(['username' => 'asc'])->all()->toArray();
} }
$entity = $this->CRUD->edit($id, [ $entity = $this->CRUD->edit($id, [
'redirect' => ['action' => 'index', $entity->user_id] 'redirect' => ['action' => 'index', $entity->user_id],
'beforeSave' => function ($data) use ($validUsers) {
if (!in_array($data['user_id'], array_keys($validUsers))) {
throw new MethodNotAllowedException(__('You cannot edit the given user.'));
}
return $data;
}
]); ]);
$responsePayload = $this->CRUD->getResponsePayload(); $responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) { if (!empty($responsePayload)) {
return $responsePayload; return $responsePayload;
} }
$dropdownData = [ $dropdownData = [
'user' => $this->UserSettings->Users->find('list', [ 'user' => $validUsers,
'sort' => ['username' => 'asc']
]),
]; ];
$this->set(compact('dropdownData')); $this->set(compact('dropdownData'));
$this->set('user_id', $this->entity->user_id); $this->set('user_id', $this->entity->user_id);
@ -259,9 +272,10 @@ class UserSettingsController extends AppController
if (empty($setting)) { if (empty($setting)) {
return false; return false;
} }
} } else {
$isAllowed = $setting->user_id == $currentUser->id; $isAllowed = $setting->user_id == $currentUser->id;
} }
}
return $isAllowed; return $isAllowed;
} }