Skip to content

Commit

Permalink
Fixed issue #19118: [security] Improper permission management on bul…
Browse files Browse the repository at this point in the history 
…k actions (#3579)
  • Loading branch information
@Shnoulle
Shnoulle committed Nov 6, 2023
1 parent 138b1d6 commit fcd22aa
Showing 1 changed file with 61 additions and 49 deletions.
110 changes: 61 additions & 49 deletions application/controllers/UserManagementController.php
View file
Expand Up @@ -1014,21 +1014,23 @@ public function actionBatchSendAndResetLoginData()
$aResults[$user]['title'] = $oUser->users_name;
//User should not reset and resend email to himself throw massive action
if ($oUser->uid == Yii::app()->user->id) {
$aResults[$user]['result'] = false;
$aResults[$user]['error'] = gT("Error! Please change your password from your profile settings.");
} else {
//not modify original superuser
if ($oUser->uid == 1) {
$aResults[$user]['error'] = gT("Error! You do not have the permission to edit this user.");
} else {
$passwordManagement = new \LimeSurvey\Models\Services\PasswordManagement($oUser);
$successData = $passwordManagement->sendPasswordLinkViaEmail(\LimeSurvey\Models\Services\PasswordManagement::EMAIL_TYPE_RESET_PW);
$success = $successData['success'];
if (!$success) {
$aResults[$user]['error'] = sprintf(gT("Error: New password could not be sent to %s"), $oUser->email);
}
$aResults[$user]['result'] = $success;
}
continue;
}
$userManager = new UserManager(Yii::app()->user, $oUser);
if (!$userManager->canEdit()) {
$aResults[$user]['result'] = false;
$aResults[$user]['error'] = gT("Error! You do not have the permission to edit this user.");
continue;
}
$passwordManagement = new \LimeSurvey\Models\Services\PasswordManagement($oUser);
$successData = $passwordManagement->sendPasswordLinkViaEmail(\LimeSurvey\Models\Services\PasswordManagement::EMAIL_TYPE_RESET_PW);
$success = $successData['success'];
if (!$success) {
$aResults[$user]['error'] = sprintf(gT("Error: New password could not be sent to %s"), $oUser->email);
}
$aResults[$user]['result'] = $success;
}

$tableLabels = array(gT('User ID'), gT('Username'), gT('Status'));
Expand Down Expand Up @@ -1062,11 +1064,24 @@ public function actionBatchPermissions()
$aPermissions = Yii::app()->request->getPost('Permission', []);
$results = [];
foreach ($userIds as $iUserId) {
$aPermissionsResults = $this->applyPermissionFromArray($iUserId, $aPermissions);
$oUser = User::model()->findByPk($iUserId);
$results[$iUserId] = [
'title' => $oUser->users_name
];
if ($oUser->uid == Yii::app()->user->id) {
$aResults[$user]['result'] = false;
$aResults[$user]['error'] = gT("You can not update your own permission.");
continue;
}
$userManager = new UserManager(Yii::app()->user, $oUser);
if (!$userManager->canAssignPermissions()) {
$results[$iUserId]['result'] = false;
$results[$iUserId]['error'] = gT("You are not allowed to assign permissions to this user.");
continue;
}
$aPermissionsResults = $this->applyPermissionFromArray($iUserId, $aPermissions);
$oUser->modified = date('Y-m-d H:i:s');
$results[$iUserId]['result'] = $oUser->save();
$results[$iUserId]['title'] = $oUser->users_name;
foreach ($aPermissionsResults as $aPermissionsResult) {
if (!$aPermissionsResult['success']) {
$results[$iUserId]['result'] = false;
Expand Down Expand Up @@ -1106,35 +1121,32 @@ public function actionBatchAddGroup()
);
}
$aItems = json_decode(Yii::app()->request->getPost('sItems', []));
$iUserGroupId = Yii::app()->request->getPost('addtousergroup');

if ($iUserGroupId) {
$oUserGroup = UserGroup::model()->findByPk($iUserGroupId);
$aResults = [];

foreach ($aItems as $sItem) {
$aResults[$sItem]['title'] = '';
$model = $this->loadModel($sItem);
$aResults[$sItem]['title'] = $model->users_name;
if (!$oUserGroup->hasUser($sItem)) {
$aResults[$sItem]['result'] = $oUserGroup->addUser($sItem);
} else {
$aResults[$sItem]['result'] = false;
$aResults[$sItem]['error'] = gT('User is already a member of the group.');
}
}
} else {
foreach ($aItems as $sItem) {
$aResults[$sItem]['title'] = '';
$model = $this->loadModel($sItem);
$aResults[$sItem]['title'] = $model->users_name;
$iUserGroupId = intval(App()->request->getPost('addtousergroup'));
$oUserGroup = UserGroup::model()->findByPk($iUserGroupId);

if (!$iUserGroupId || !$oUserGroup) {
throw new CHttpException(404, gT("Group not found"));
}
/* see UserGroupController->checkBeforeAddDeleteUser */
if (!Permission::model()->hasGlobalPermission('superadmin', 'read') && $oUserGroup->owner_id != App()->getCurrentUserId()) {
throw new CHttpException(403, gT("You do not have permission to access this page."));
}

/* @var array construct ressult for each user */
$aResults = [];
foreach ($aItems as $sItem) {
$aResults[$sItem]['title'] = '';
$model = $this->loadModel($sItem);
$aResults[$sItem]['title'] = $model->users_name;
if (!$oUserGroup->hasUser($sItem)) {
$aResults[$sItem]['result'] = $oUserGroup->addUser($sItem);
} else {
$aResults[$sItem]['result'] = false;
$aResults[$sItem]['error'] = gT('No user group selected.');
$aResults[$sItem]['error'] = gT('User is already a member of the group.');
}
}

$tableLabels = array(gT('User ID'), gT('Username'), gT('Status'));

Yii::app()->getController()->renderPartial(
'ext.admin.survey.ListSurveysWidget.views.massive_actions._action_results',
array(
Expand All @@ -1153,12 +1165,8 @@ public function actionBatchAddGroup()
*/
public function actionBatchApplyRoles()
{
/* Need super admin roles */
if (!Permission::model()->hasGlobalPermission('superadmin')) {
return $this->renderPartial(
'partial/error',
['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true]
);
if (!Permission::model()->hasGlobalPermission('superadmin', 'create')) {
throw new CHttpException(403, gT("You do not have permission to access this page."));
}
$aItems = json_decode(Yii::app()->request->getPost('sItems', []));
$aUserRoleIds = Yii::app()->request->getPost('roleselector');
Expand All @@ -1168,11 +1176,15 @@ public function actionBatchApplyRoles()
$aResults[$sItem]['title'] = '';
$model = $this->loadModel($sItem);
$aResults[$sItem]['title'] = $model->users_name;

if (Permission::isForcedSuperAdmin($sItem)) {
/* Show an error for forced super admin, this don't disable for DB superadmin */
if ($model->uid == Yii::app()->user->id) {
$aResults[$user]['result'] = false;
$aResults[$user]['error'] = gT("You can not update your own roles.");
continue;
}
$userManager = new UserManager(Yii::app()->user, $model);
if (!$userManager->canAssignRole()) {
$aResults[$sItem]['result'] = false;
$aResults[$sItem]['error'] = gT('The superadmin role cannot be changed.');
$aResults[$sItem]['error'] = gT('You can not set role to this user.');
} else {
foreach ($aUserRoleIds as $iUserRoleId) {
$aResults[$sItem]['result'] = Permissiontemplates::model()->applyToUser($sItem, $iUserRoleId);
Expand Down

0 comments on commit fcd22aa

Please sign in to comment.