Skip to content

Commit

Permalink
Fixed issue #19133: [security] User can send email to group members, …
Browse files Browse the repository at this point in the history 
…while not having permissions (#3586)
  • Loading branch information
@Shnoulle
Shnoulle committed Nov 3, 2023
1 parent 000db27 commit 990a51a
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 41 deletions.
70 changes: 32 additions & 38 deletions application/controllers/UserGroupController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,10 +100,6 @@ public function actionIndex()
*/
public function actionViewGroup($ugid, bool $header = false)
{
if (!Permission::model()->hasGlobalPermission('usergroups', 'read')) {
throw new CHttpException(403);
}

$ugid = (int)$ugid;
if (empty($ugid)) {
throw new CHttpException(400, gT('GroupId missing'));
Expand All @@ -114,18 +110,15 @@ public function actionViewGroup($ugid, bool $header = false)
throw new CHttpException(404, gT("User group not found."));
}

// Only allow access if user is:
// - Superadmin
// - Owner of the group
// - Member of the group
/* Permission check */
if (
!(
$userGroup->owner_id == Yii::app()->user->id ||
$userGroup->hasUser(Yii::app()->user->id) ||
Permission::model()->hasGlobalPermission('superadmin', 'read')
Permission::model()->hasGlobalPermission('superadmin', 'read') // Can always see all
|| $userGroup->owner_id == App()->getCurrentUserId() // Are the owner
|| ($userGroup->hasUser(App()->getCurrentUserId()) && Permission::model()->hasGlobalPermission('usergroups', 'read')) // Inside group, and allowed to see all usergroups
)
) {
throw new CHttpException(403);
throw new CHttpException(403, gT("No access : you do not have permission to this users group."));
}

$aData = [];
Expand Down Expand Up @@ -478,34 +471,35 @@ public function actionMailToAllUsersInGroup(int $ugid)
{
$ugid = sanitize_int($ugid);
$action = Yii::app()->request->getPost("action");
$currentUserId = App()->getCurrentUserId();
$userGroup = UserGroup::model()->findByPk($ugid);
if (empty($userGroup)) {
throw new CHttpException(404, gT("User group not found."));
}
if (
!Permission::model()->hasGlobalPermission('superadmin', 'read') // User is superadmin
&& $userGroup->owner_id != $currentUserId // User is owner
) {
throw new CHttpException(403, gT("No access : you do not have permission to send emails to all users."));
}
$redirectUrl = App()->createUrl("userGroup/viewGroup", ['ugid' => $ugid]);
$aData = [];

if ($action == "mailsendusergroup") {
// user must be in user group or superadmin
if ($ugid === null) {
$ugid = (int) Yii::app()->request->getPost('ugid');
}
$result = UserInGroup::model()->findAllByPk(array('ugid' => (int)$ugid, 'uid' => Yii::app()->session['loginID']));
if (count($result) > 0 || Permission::model()->hasGlobalPermission('superadmin', 'read')) {
try {
$sendCopy = Yii::app()->getRequest()->getPost('copymail') == 1 ? 1 : 0;
$emailSendingResults = UserGroup::model()->sendUserEmails(
$ugid,
Yii::app()->getRequest()->getPost('subject'),
Yii::app()->getRequest()->getPost('body'),
$sendCopy
);

Yii::app()->user->setFlash('success', $emailSendingResults);
$this->redirect(array('userGroup/viewGroup/ugid/' . $ugid));
} catch (Exception $e) {
// TODO: Show error message?
Yii::app()->user->setFlash('error', gT("Error: no email has been send."));
$this->redirect(array('userGroup/viewGroup/ugid/' . $ugid));
}
} else {
Yii::app()->user->setFlash('error', gT("You do not have permission to send emails to all users. "));
$this->redirect(array('userGroup/viewGroup/ugid/' . $ugid));
try {
$sendCopy = App()->getRequest()->getPost('copymail', 0);
$emailSendingResults = UserGroup::model()->sendUserEmails(
$ugid,
App()->getRequest()->getPost('subject'),
App()->getRequest()->getPost('body'),
$sendCopy
);

Yii::app()->user->setFlash('success', $emailSendingResults);
$this->redirect($redirectUrl);
} catch (Exception $e) {
// TODO: Show error message?
Yii::app()->user->setFlash('error', gT("Error: no email has been send."));
$this->redirect($redirectUrl);
}
} else {
$aData['ugid'] = $ugid;
Expand Down
6 changes: 3 additions & 3 deletions application/views/userGroup/usergroupbar_view.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,23 +23,23 @@
<?php endif; ?>

<!-- Mail to all Members -->
<?php if (isset($usergroupbar['edit'])) : ?>
<?php if (isset($usergroupbar['edit']) && (App()->getCurrentUserId() == $userGroup->owner_id || Permission::model()->hasGlobalPermission('superadmin', 'read'))) :?>
<a class="btn btn-default" href="<?php echo $this->createUrl("userGroup/mailToAllUsersInGroup/ugid/" . $userGroup->ugid); ?>" role="button">
<span class="icon-invite text-success"></span>
<?php eT("Mail to all Members"); ?>
</a>
<?php endif;?>

<!-- Edit current user group -->
<?php if (isset($usergroupbar['edit']) && (Yii::app()->session['loginID'] == $userGroup->owner_id || Permission::model()->hasGlobalPermission('superadmin', 'read'))) :?>
<?php if (isset($usergroupbar['edit']) && (App()->getCurrentUserId() == $userGroup->owner_id || Permission::model()->hasGlobalPermission('superadmin', 'read'))) :?>
<a class="btn btn-default" href="<?php echo $this->createUrl("userGroup/edit/ugid/" . $userGroup->ugid); ?>" role="button">
<span class="fa fa-pencil text-success"></span>
<?php eT("Edit current user group"); ?>
</a>
<?php endif;?>

<!-- Delete current user group -->
<?php if (isset($usergroupbar['edit']) && (Yii::app()->session['loginID'] == $userGroup->owner_id || Permission::model()->hasGlobalPermission('superadmin', 'read'))) :?>
<?php if (isset($usergroupbar['edit']) && (App()->getCurrentUserId() == $userGroup->owner_id || Permission::model()->hasGlobalPermission('superadmin', 'read'))) :?>
<a class="btn btn-default" href='#' onclick='if (confirm("<?php eT("Are you sure you want to delete this entry?", "js"); ?>")) { <?php echo convertGETtoPOST($this->createUrl('userGroup/deleteGroup?ugid=' . $userGroup->ugid)); ?>}'>
<span class="fa fa-trash text-success"></span>
<?php eT("Delete current user group"); ?>
Expand Down

0 comments on commit 990a51a

Please sign in to comment.