fix: [security] Removed a user's ability to change their role
- as reported by cert.plpull/32/head
parent
f98e9821dc
commit
a7348e5266
|
@ -71,14 +71,16 @@ class CRUDComponent extends Component
|
|||
{
|
||||
$this->getMetaTemplates();
|
||||
$data = $this->Table->newEmptyEntity();
|
||||
if (!empty($params['fields'])) {
|
||||
$this->Controller->set('fields', $params['fields']);
|
||||
}
|
||||
if ($this->request->is('post')) {
|
||||
$input = $this->request->getData();
|
||||
if (!empty($params['override'])) {
|
||||
foreach ($params['override'] as $field => $value) {
|
||||
$input[$field] = $value;
|
||||
}
|
||||
$patchEntityParams = [];
|
||||
$input = $this->__massageInput($params);
|
||||
if (!empty($params['fields'])) {
|
||||
$patchEntityParams['fields'] = $params['fields'];
|
||||
}
|
||||
$data = $this->Table->patchEntity($data, $input);
|
||||
$data = $this->Table->patchEntity($data, $input, $patchEntityParams);
|
||||
if ($this->Table->save($data)) {
|
||||
$message = __('{0} added.', $this->ObjectAlias);
|
||||
if (!empty($input['metaFields'])) {
|
||||
|
@ -127,6 +129,23 @@ class CRUDComponent extends Component
|
|||
}
|
||||
}
|
||||
|
||||
private function __massageInput($params)
|
||||
{
|
||||
$input = $this->request->getData();
|
||||
if (!empty($params['override'])) {
|
||||
foreach ($params['override'] as $field => $value) {
|
||||
$input[$field] = $value;
|
||||
}
|
||||
}
|
||||
if (!empty($params['removeEmpty'])) {
|
||||
foreach ($params['removeEmpty'] as $removeEmptyField)
|
||||
if (isset($input[$removeEmptyField])) {
|
||||
unset($input[$removeEmptyField]);
|
||||
}
|
||||
}
|
||||
return $input;
|
||||
}
|
||||
|
||||
public function edit(int $id, array $params = []): void
|
||||
{
|
||||
if (empty($id)) {
|
||||
|
@ -135,14 +154,16 @@ class CRUDComponent extends Component
|
|||
$this->getMetaTemplates();
|
||||
$data = $this->Table->get($id, isset($params['get']) ? $params['get'] : []);
|
||||
$data = $this->getMetaFields($id, $data);
|
||||
if (!empty($params['fields'])) {
|
||||
$this->Controller->set('fields', $params['fields']);
|
||||
}
|
||||
if ($this->request->is(['post', 'put'])) {
|
||||
$input = $this->request->getData();
|
||||
if (!empty($params['override'])) {
|
||||
foreach ($params['override'] as $field => $value) {
|
||||
$input[$field] = $value;
|
||||
}
|
||||
$patchEntityParams = [];
|
||||
$input = $this->__massageInput($params);
|
||||
if (!empty($params['fields'])) {
|
||||
$patchEntityParams['fields'] = $params['fields'];
|
||||
}
|
||||
$this->Table->patchEntity($data, $this->request->getData());
|
||||
$this->Table->patchEntity($data, $input, $patchEntityParams);
|
||||
if ($this->Table->save($data)) {
|
||||
$message = __('{0} updated.', $this->ObjectAlias);
|
||||
if (!empty($input['metaFields'])) {
|
||||
|
@ -161,7 +182,6 @@ class CRUDComponent extends Component
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
$this->Controller->set('entity', $data);
|
||||
}
|
||||
|
||||
|
|
|
@ -57,11 +57,23 @@ class UsersController extends AppController
|
|||
if (empty($id) || empty($this->ACL->getUser()['role']['perm_admin'])) {
|
||||
$id = $this->ACL->getUser()['id'];
|
||||
}
|
||||
$this->CRUD->edit($id, [
|
||||
$params = [
|
||||
'get' => [
|
||||
'fields' => ['id', 'individual_id', 'role_id', 'username', 'disabled']
|
||||
'fields' => [
|
||||
'id', 'individual_id', 'role_id', 'username', 'disabled'
|
||||
]
|
||||
],
|
||||
'removeEmpty' => [
|
||||
'password'
|
||||
],
|
||||
'fields' => [
|
||||
'id', 'individual_id', 'username', 'disabled', 'password', 'confirm_password'
|
||||
]
|
||||
]);
|
||||
];
|
||||
if (!empty($this->ACL->getUser()['role']['perm_admin'])) {
|
||||
$params['fields'][] = 'role_id';
|
||||
}
|
||||
$this->CRUD->edit($id, $params);
|
||||
if ($this->ParamHandler->isRest()) {
|
||||
return $this->restResponsePayload;
|
||||
}
|
||||
|
|
|
@ -42,6 +42,11 @@
|
|||
];
|
||||
if (!empty($data['fields'])) {
|
||||
foreach ($data['fields'] as $fieldData) {
|
||||
if (!empty($fields)) {
|
||||
if (!in_array($fieldData['field'], $fields)) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
// we reset the template each iteration as individual fields might override the defaults.
|
||||
$this->Form->setTemplates($default_template);
|
||||
if (isset($fieldData['requirements']) && !$fieldData['requirements']) {
|
||||
|
|
Loading…
Reference in New Issue