From b41b0dd712c5b9cddaaf5d2103566c56e17ce2ad Mon Sep 17 00:00:00 2001 From: iglocska Date: Sat, 19 Feb 2022 01:02:49 +0100 Subject: [PATCH] fix: [security] privilege escalation via user edit fixed - org admins could circumvent the role restrictions and elevate themselves to a site admin - as reported by Dawid Czarnecki from Zigrin Security --- src/Controller/UsersController.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index 3d684a0..5f4e8eb 100644 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -166,6 +166,12 @@ class UsersController extends AppController } return $data; }; + $params['beforeSave'] = function ($data) use ($currentUser, $validRoles) { + if (!in_array($data['role_id'], array_keys($validRoles))) { + throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.')); + } + return $data; + }; } } $this->CRUD->edit($id, $params);