cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] privilege escalation via user edit fixed 

- org admins could circumvent the role restrictions and elevate themselves to a site admin

- as reported by Dawid Czarnecki from Zigrin Security
pull/92/head
iglocska 2022-02-19 01:02:49 +01:00
parent ad3e89199b
commit b41b0dd712
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/Controller/UsersController.php
View File

@ -166,6 +166,12 @@ class UsersController extends AppController
} }
return $data; return $data;
}; };
$params['beforeSave'] = function ($data) use ($currentUser, $validRoles) {
if (!in_array($data['role_id'], array_keys($validRoles))) {
throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
}
return $data;
};
} }
} }
$this->CRUD->edit($id, $params); $this->CRUD->edit($id, $params);