Merge pull request #3001 from connortechnology/update_users_controller

Update permissions checking when viewing/editing users.  Fixes #2982.…
This commit is contained in:
Isaac Connor 2020-08-18 09:00:07 -04:00 committed by GitHub
commit 4c69d7b748
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 71 additions and 37 deletions

View File

@ -14,6 +14,18 @@ class UsersController extends AppController {
*/ */
public $components = array('RequestHandler', 'Paginator'); public $components = array('RequestHandler', 'Paginator');
public function beforeFilter() {
parent::beforeFilter();
global $user;
# We already tested for auth in appController, so we just need to test for specific permission
$canView = (!$user) || ($user['System'] != 'None');
if ( !$canView ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return;
}
}
/** /**
* index method * index method
* *
@ -23,6 +35,12 @@ class UsersController extends AppController {
public function index() { public function index() {
$this->User->recursive = 0; $this->User->recursive = 0;
global $user;
# We should actually be able to list our own user, but I'm not bothering at this time.
if ( $user['System'] == 'None' ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return;
}
$users = $this->Paginator->paginate('User'); $users = $this->Paginator->paginate('User');
$this->set(compact('users')); $this->set(compact('users'));
@ -37,9 +55,19 @@ class UsersController extends AppController {
*/ */
public function view($id = null) { public function view($id = null) {
$this->User->recursive = 1; $this->User->recursive = 1;
if (!$this->User->exists($id)) {
global $user;
# We can view ourselves
$canView = ($user['System'] != 'None') or ($user['Id'] == $id);
if ( !$canView ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return;
}
if ( !$this->User->exists($id) ) {
throw new NotFoundException(__('Invalid user')); throw new NotFoundException(__('Invalid user'));
} }
$options = array('conditions' => array('User.' . $this->User->primaryKey => $id)); $options = array('conditions' => array('User.' . $this->User->primaryKey => $id));
$user = $this->User->find('first', $options); $user = $this->User->find('first', $options);
@ -55,9 +83,16 @@ class UsersController extends AppController {
* @return void * @return void
*/ */
public function add() { public function add() {
if ($this->request->is('post')) { if ( $this->request->is('post') ) {
global $user;
if ( $user['System'] != 'Edit' ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return;
}
$this->User->create(); $this->User->create();
if ($this->User->save($this->request->data)) { if ( $this->User->save($this->request->data) ) {
return $this->flash(__('The user has been saved.'), array('action' => 'index')); return $this->flash(__('The user has been saved.'), array('action' => 'index'));
} }
$this->Session->setFlash( $this->Session->setFlash(
@ -76,7 +111,14 @@ class UsersController extends AppController {
public function edit($id = null) { public function edit($id = null) {
$this->User->id = $id; $this->User->id = $id;
if (!$this->User->exists($id)) { global $user;
$canEdit = ($user['System'] == 'Edit') or (($user['Id'] == $id) and ZM_USER_SELF_EDIT);
if ( !$canEdit ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return;
}
if ( !$this->User->exists($id) ) {
throw new NotFoundException(__('Invalid user')); throw new NotFoundException(__('Invalid user'));
} }
@ -87,8 +129,10 @@ class UsersController extends AppController {
$message = 'Error'; $message = 'Error';
} }
} else { } else {
# What is this doing? Resetting the request data? I understand clearing the password field
# but generally I feel like the request data should be read only
$this->request->data = $this->User->read(null, $id); $this->request->data = $this->User->read(null, $id);
unset($this->request->data['User']['password']); unset($this->request->data['User']['Password']);
} }
$this->set(array( $this->set(array(
@ -106,6 +150,13 @@ class UsersController extends AppController {
*/ */
public function delete($id = null) { public function delete($id = null) {
$this->User->id = $id; $this->User->id = $id;
global $user;
# Can't delete ourselves
if ( ($user['System'] != 'Edit') or ($user['Id'] == $id) ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return;
}
if ( !$this->User->exists() ) { if ( !$this->User->exists() ) {
throw new NotFoundException(__('Invalid user')); throw new NotFoundException(__('Invalid user'));
} }
@ -120,35 +171,4 @@ class UsersController extends AppController {
'_serialize' => array('message') '_serialize' => array('message')
)); ));
} }
} # end class UsersController
public function beforeFilter() {
parent::beforeFilter();
if ( ZM_OPT_USE_AUTH ) {
$this->Auth->allow('add', 'logout');
} else {
$this->Auth->allow();
}
}
public function login() {
if ( !ZM_OPT_USE_AUTH ) {
$this->set(array(
'message' => 'Login is not required.',
'_serialize' => array('message')
));
return;
}
if ( $this->request->is('post') ) {
if ( $this->Auth->login() ) {
return $this->redirect($this->Auth->redirectUrl());
}
$this->Session->setFlash(__('Invalid username or password, try again'));
}
}
public function logout() {
return $this->redirect($this->Auth->logout());
}
}

View File

@ -21,6 +21,20 @@ class User extends AppModel {
) )
); );
function beforeFind($query) {
if ( empty($query['fields']) ) {
$schema = $this->schema();
unset($schema['Password']);
foreach (array_keys($schema) as $field) {
$query['fields'][] = $this->alias . '.' . $field;
}
return $query;
}
return parent::beforeFind($query);
}
/** /**
* Use table * Use table
* *