Skip to content

Commit

Permalink
Fixed issue #19087: [security] Account takeover through Import User f…
Browse files Browse the repository at this point in the history 
…unction (#3735)
  • Loading branch information
@Shnoulle
Shnoulle committed Feb 21, 2024
1 parent 49086a4 commit 34e65bb
Showing 1 changed file with 13 additions and 2 deletions.
15 changes: 13 additions & 2 deletions application/controllers/UserManagementController.php
View file
Expand Up @@ -933,6 +933,16 @@ public function actionImportUsers(string $importFormat = 'csv'): string

if ($oUser !== null) {
if ($overwriteUsers) {
/* Check permission to edit this user */
if (!$oUser->canEdit()) {
Yii::app()->setFlashMessage(sprintf(gT("You don't have permission to edit user %s."), $aNewUser['users_name']), 'warning');
continue;
}
/* Check permission to edit self */
if ($oUser->uid == App()->user->id) {
Yii::app()->setFlashMessage(gT("You can not use import to edit your account."), 'warning');
continue;
}
$oUser->full_name = $aNewUser['full_name'];
$oUser->email = $aNewUser['email'];
$oUser->parent_id = App()->user->id;
Expand Down Expand Up @@ -975,8 +985,9 @@ public function actionImportUsers(string $importFormat = 'csv'): string
}
}
}

Yii::app()->setFlashMessage(gT("Users imported successfully."), 'success');
if (count($created) || count($updated)) {
Yii::app()->setFlashMessage(gT("Users imported successfully."), 'success');
}
$this->redirect(['userManagement/index']);
}

Expand Down

0 comments on commit 34e65bb

Please sign in to comment.