Skip to content
Permalink
Browse files Browse the repository at this point in the history
FIX Broken Access Control reported by Ahsan Aziz.
  • Loading branch information
eldy committed Jun 13, 2021
1 parent 497e9ed commit c4cba43
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 9 deletions.
1 change: 1 addition & 0 deletions htdocs/langs/en_US/errors.lang
Expand Up @@ -11,6 +11,7 @@ ErrorBadValueForParamNotAString=Bad value for your parameter. It appends general
ErrorRefAlreadyExists=Reference <b>%s</b> already exists.
ErrorLoginAlreadyExists=Login %s already exists.
ErrorGroupAlreadyExists=Group %s already exists.
ErrorEmailAlreadyExists=Email %s already exists.
ErrorRecordNotFound=Record not found.
ErrorFailToCopyFile=Failed to copy file '<b>%s</b>' into '<b>%s</b>'.
ErrorFailToCopyDir=Failed to copy directory '<b>%s</b>' into '<b>%s</b>'.
Expand Down
22 changes: 14 additions & 8 deletions htdocs/user/card.php
Expand Up @@ -444,16 +444,22 @@

$object->lang = GETPOST('default_lang', 'aZ09');

if (!empty($conf->multicompany->enabled)) {
if (GETPOST("superadmin")) {
$object->entity = 0;
} elseif (!empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) {
$object->entity = 1; // all users in master entity
// Do we update also ->entity ?
if (!empty($conf->multicompany->enabled)) { // If multicompany is not enabled, we never update the entity of a user.
if (!empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) {
$object->entity = 1; // all users are in master entity
} else {
$object->entity = (!GETPOST('entity', 'int') ? 0 : GETPOST('entity', 'int'));
// A user should not be able to move a user into another entity. Only superadmin should be able to do this.
if ($user->entity == 0 && $user->admin) {
if (GETPOST("superadmin")) {
// We try to set the user as superadmin.
$object->entity = 0;
} else {
// We try to change the entity of user
$object->entity = (GETPOSTISSET('entity') ? GETPOSTINT('entity') : $object->entity);
}
}
}
} else {
$object->entity = (!GETPOST('entity', 'int') ? 0 : GETPOST('entity', 'int'));
}

// Fill array 'array_options' with data from add form
Expand Down
28 changes: 27 additions & 1 deletion htdocs/user/class/user.class.php
Expand Up @@ -1662,6 +1662,32 @@ public function update($user, $notrigger = 0, $nosyncmember = 0, $nosyncmemberpa

$this->db->begin();

// Check if login already exists in same entity or into entity 0.
if ($this->oldcopy->login != $this->login) {
$sqltochecklogin = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."user WHERE entity IN (".((int) $this->entity).", 0) AND login = '".$this->db->escape($this->login)."'";
$resqltochecklogin = $this->db->query($sqltochecklogin);
if ($resqltochecklogin) {
$objtochecklogin = $this->db->fetch_object($resqltochecklogin);
if ($objtochecklogin && $objtochecklogin->nb > 0) {
$langs->load("errors");
$this->error = $langs->trans("ErrorLoginAlreadyExists", $this->login);
return -1;
}
}
}
if ($this->email !== '' && $this->oldcopy->email != $this->email) {
$sqltochecklogin = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."user WHERE entity IN (".((int) $this->entity).", 0) AND email = '".$this->db->escape($this->email)."'";
$resqltochecklogin = $this->db->query($sqltochecklogin);
if ($resqltochecklogin) {
$objtochecklogin = $this->db->fetch_object($resqltochecklogin);
if ($objtochecklogin && $objtochecklogin->nb > 0) {
$langs->load("errors");
$this->error = $langs->trans("ErrorEmailAlreadyExists", $this->email);
return -1;
}
}
}

// Update datas
$sql = "UPDATE ".MAIN_DB_PREFIX."user SET";
$sql .= " civility = '".$this->db->escape($this->civility_code)."'";
Expand Down Expand Up @@ -1715,7 +1741,7 @@ public function update($user, $notrigger = 0, $nosyncmember = 0, $nosyncmemberpa
$sql .= ", salaryextra= ".($this->salaryextra != '' ? "'".$this->db->escape($this->salaryextra)."'" : "null");
}
$sql .= ", weeklyhours= ".($this->weeklyhours != '' ? "'".$this->db->escape($this->weeklyhours)."'" : "null");
$sql .= ", entity = '".$this->db->escape($this->entity)."'";
$sql .= ", entity = ".((int) $this->entity);
$sql .= ", default_range = ".($this->default_range > 0 ? $this->default_range : 'null');
$sql .= ", default_c_exp_tax_cat = ".($this->default_c_exp_tax_cat > 0 ? $this->default_c_exp_tax_cat : 'null');
$sql .= ", fk_warehouse = ".($this->fk_warehouse > 0 ? $this->fk_warehouse : "null");
Expand Down

0 comments on commit c4cba43

Please sign in to comment.