cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] user settings editable by arbitrary user fixed 

- as reported by Infigo on behalf of ENISA
pull/163/head
iglocska 2023-08-23 15:08:23 +02:00
parent d7bf8af5b1
commit 8e616180ba
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/Controller/UserSettingsController.php
View File

@ -100,21 +100,34 @@ class UserSettingsController extends AppController
'id' => $id
])->first();
if (!$this->isLoggedUserAllowedToEdit($entity)) {
throw new NotFoundException(__('Invalid {0}.', 'user setting'));
$currentUser = $this->ACL->getUser();
$validUsers = [];
$individual_ids = [];
if (!$currentUser['role']['perm_admin']) {
if ($currentUser['role']['perm_org_admin']) {
$validUsers = $this->Users->find('list')->select(['id', 'username'])->order(['username' => 'asc'])->where(['organisation_id' => $currentUser['organisation']['id']])->all()->toArray();
} else {
$validUsers = [$currentUser['id'] => $currentUser['username']];
}
} else {
$validUsers = $this->Users->find('list')->select(['id', 'username'])->order(['username' => 'asc'])->all()->toArray();
}
$entity = $this->CRUD->edit($id, [
'redirect' => ['action' => 'index', $entity->user_id]
'redirect' => ['action' => 'index', $entity->user_id],
'beforeSave' => function ($data) use ($validUsers) {
if (!in_array($data['user_id'], array_keys($validUsers))) {
throw new MethodNotAllowedException(__('You cannot edit the given user.'));
}
return $data;
}
]);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
return $responsePayload;
}
$dropdownData = [
'user' => $this->UserSettings->Users->find('list', [
'sort' => ['username' => 'asc']
]),
'user' => $validUsers,
];
$this->set(compact('dropdownData'));
$this->set('user_id', $this->entity->user_id);
@ -259,9 +272,10 @@ class UserSettingsController extends AppController
if (empty($setting)) {
return false;
}
}
} else {
$isAllowed = $setting->user_id == $currentUser->id;
}
}
return $isAllowed;
}