From a2632349175e574cd6305fa459cd7610ea09ab61 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Fri, 4 Feb 2022 00:36:31 +0100
Subject: [PATCH] fix: [security] open endpoints should only be open when
 enabled

- as reported by Dawid Czarnecki from Zigrin Security
---
 src/Controller/Open/IndividualsController.php   | 6 +++++-
 src/Controller/Open/OrganisationsController.php | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/Controller/Open/IndividualsController.php b/src/Controller/Open/IndividualsController.php
index 28cd51d..79af257 100644
--- a/src/Controller/Open/IndividualsController.php
+++ b/src/Controller/Open/IndividualsController.php
@@ -11,13 +11,17 @@ use Cake\Http\Exception\NotFoundException;
 use Cake\Http\Exception\MethodNotAllowedException;
 use Cake\Http\Exception\ForbiddenException;
 use Cake\Event\EventInterface;
+use Cake\Core\Configure;
 
 class IndividualsController extends AppController
 {
     public function beforeFilter(EventInterface $event)
     {
         parent::beforeFilter($event);
-        $this->Authentication->allowUnauthenticated(['index']);
+        $open = Configure::read('Cerebrate.open');
+        if (!empty($open) && in_array('individuals', $open)) {
+            $this->Authentication->allowUnauthenticated(['index']);
+        }
     }
 
     public function index()
diff --git a/src/Controller/Open/OrganisationsController.php b/src/Controller/Open/OrganisationsController.php
index ad22f42..facda8a 100644
--- a/src/Controller/Open/OrganisationsController.php
+++ b/src/Controller/Open/OrganisationsController.php
@@ -10,13 +10,17 @@ use Cake\Http\Exception\NotFoundException;
 use Cake\Http\Exception\MethodNotAllowedException;
 use Cake\Http\Exception\ForbiddenException;
 use Cake\Event\EventInterface;
+use Cake\Core\Configure;
 
 class OrganisationsController extends AppController
 {
     public function beforeFilter(EventInterface $event)
     {
         parent::beforeFilter($event);
-        $this->Authentication->allowUnauthenticated(['index']);
+        $open = Configure::read('Cerebrate.open');
+        if (!empty($open) && in_array('organisations', $open)) {
+            $this->Authentication->allowUnauthenticated(['index']);
+        }
     }
 
     public function index()