fix: [security] Removed a user's ability to change their role

- as reported by cert.pl
pull/32/head
iglocska 2020-11-05 10:17:42 +01:00
parent f98e9821dc
commit a7348e5266
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
3 changed files with 53 additions and 16 deletions

View File

@ -71,14 +71,16 @@ class CRUDComponent extends Component
{
$this->getMetaTemplates();
$data = $this->Table->newEmptyEntity();
if (!empty($params['fields'])) {
$this->Controller->set('fields', $params['fields']);
}
if ($this->request->is('post')) {
$input = $this->request->getData();
if (!empty($params['override'])) {
foreach ($params['override'] as $field => $value) {
$input[$field] = $value;
}
$patchEntityParams = [];
$input = $this->__massageInput($params);
if (!empty($params['fields'])) {
$patchEntityParams['fields'] = $params['fields'];
}
$data = $this->Table->patchEntity($data, $input);
$data = $this->Table->patchEntity($data, $input, $patchEntityParams);
if ($this->Table->save($data)) {
$message = __('{0} added.', $this->ObjectAlias);
if (!empty($input['metaFields'])) {
@ -127,6 +129,23 @@ class CRUDComponent extends Component
}
}
private function __massageInput($params)
{
$input = $this->request->getData();
if (!empty($params['override'])) {
foreach ($params['override'] as $field => $value) {
$input[$field] = $value;
}
}
if (!empty($params['removeEmpty'])) {
foreach ($params['removeEmpty'] as $removeEmptyField)
if (isset($input[$removeEmptyField])) {
unset($input[$removeEmptyField]);
}
}
return $input;
}
public function edit(int $id, array $params = []): void
{
if (empty($id)) {
@ -135,14 +154,16 @@ class CRUDComponent extends Component
$this->getMetaTemplates();
$data = $this->Table->get($id, isset($params['get']) ? $params['get'] : []);
$data = $this->getMetaFields($id, $data);
if (!empty($params['fields'])) {
$this->Controller->set('fields', $params['fields']);
}
if ($this->request->is(['post', 'put'])) {
$input = $this->request->getData();
if (!empty($params['override'])) {
foreach ($params['override'] as $field => $value) {
$input[$field] = $value;
}
$patchEntityParams = [];
$input = $this->__massageInput($params);
if (!empty($params['fields'])) {
$patchEntityParams['fields'] = $params['fields'];
}
$this->Table->patchEntity($data, $this->request->getData());
$this->Table->patchEntity($data, $input, $patchEntityParams);
if ($this->Table->save($data)) {
$message = __('{0} updated.', $this->ObjectAlias);
if (!empty($input['metaFields'])) {
@ -161,7 +182,6 @@ class CRUDComponent extends Component
}
}
}
$this->Controller->set('entity', $data);
}

View File

@ -57,11 +57,23 @@ class UsersController extends AppController
if (empty($id) || empty($this->ACL->getUser()['role']['perm_admin'])) {
$id = $this->ACL->getUser()['id'];
}
$this->CRUD->edit($id, [
$params = [
'get' => [
'fields' => ['id', 'individual_id', 'role_id', 'username', 'disabled']
'fields' => [
'id', 'individual_id', 'role_id', 'username', 'disabled'
]
],
'removeEmpty' => [
'password'
],
'fields' => [
'id', 'individual_id', 'username', 'disabled', 'password', 'confirm_password'
]
]);
];
if (!empty($this->ACL->getUser()['role']['perm_admin'])) {
$params['fields'][] = 'role_id';
}
$this->CRUD->edit($id, $params);
if ($this->ParamHandler->isRest()) {
return $this->restResponsePayload;
}

View File

@ -42,6 +42,11 @@
];
if (!empty($data['fields'])) {
foreach ($data['fields'] as $fieldData) {
if (!empty($fields)) {
if (!in_array($fieldData['field'], $fields)) {
continue;
}
}
// we reset the template each iteration as individual fields might override the defaults.
$this->Form->setTemplates($default_template);
if (isset($fieldData['requirements']) && !$fieldData['requirements']) {