cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] open endpoints should only be open when enabled 

- as reported by Dawid Czarnecki from Zigrin Security
pull/92/head
iglocska 2022-02-04 00:36:31 +01:00
parent 15190b930e
commit a263234917
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Controller/Open/IndividualsController.php
View File

@ -11,13 +11,17 @@ use Cake\Http\Exception\NotFoundException;
use Cake\Http\Exception\MethodNotAllowedException; use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Http\Exception\ForbiddenException; use Cake\Http\Exception\ForbiddenException;
use Cake\Event\EventInterface; use Cake\Event\EventInterface;
use Cake\Core\Configure;
class IndividualsController extends AppController class IndividualsController extends AppController
{ {
public function beforeFilter(EventInterface $event) public function beforeFilter(EventInterface $event)
{ {
parent::beforeFilter($event); parent::beforeFilter($event);
$this->Authentication->allowUnauthenticated(['index']); $open = Configure::read('Cerebrate.open');
if (!empty($open) && in_array('individuals', $open)) {
$this->Authentication->allowUnauthenticated(['index']);
}
} }
public function index() public function index()

6
src/Controller/Open/OrganisationsController.php
View File

@ -10,13 +10,17 @@ use Cake\Http\Exception\NotFoundException;
use Cake\Http\Exception\MethodNotAllowedException; use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Http\Exception\ForbiddenException; use Cake\Http\Exception\ForbiddenException;
use Cake\Event\EventInterface; use Cake\Event\EventInterface;
use Cake\Core\Configure;
class OrganisationsController extends AppController class OrganisationsController extends AppController
{ {
public function beforeFilter(EventInterface $event) public function beforeFilter(EventInterface $event)
{ {
parent::beforeFilter($event); parent::beforeFilter($event);
$this->Authentication->allowUnauthenticated(['index']); $open = Configure::read('Cerebrate.open');
if (!empty($open) && in_array('organisations', $open)) {
$this->Authentication->allowUnauthenticated(['index']);
}
} }
public function index() public function index()