Fixed issue #19598: [security] No CSRF protection on userManagement (…

…thanks to paoloelia) (#3881)
LimeSurvey · Jun 21, 2024 · a3355fd · a3355fd
1 parent 31f03d0
commit a3355fd
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/application/controllers/UserManagementController.php b/application/controllers/UserManagementController.php
@@ -34,6 +34,19 @@ public function accessRules()
         );
     }
 
+    /**
+     * @inheritdoc
+     */
+    public function filters()
+    {
+        return [
+            'postOnly + applyEdit, runAddDummyUser, deleteUser, userActivateDeactivate,'
+            . ' batchStatus, saveUserPermissions, saveThemePermissions, saveRole, importUsers, deleteMultiple,'
+            . ' batchSendAndResetLoginData, batchPermissions, batchAddGroup, batchApplyRoles,'
+            . ' TakeOwnership'
+        ];
+    }
+
     /**
      * @return string|string[]|null
      * @throws CException
@@ -1255,6 +1268,9 @@ public function actionTakeOwnership()
      */
     public function deleteUser(int $uid): bool
     {
+        if (!App()->getRequest()->getIsPostRequest()) {
+            throw new CHttpException(400, gT('Your request is invalid.'));
+        }
         $permission_users_delete = Permission::model()->hasGlobalPermission('users', 'delete');
         $permission_superadmin_read = Permission::model()->hasGlobalPermission('superadmin', 'read');
         if (!$permission_users_delete) {
@@ -1335,6 +1351,12 @@ public function loadModel(int $id): User
      */
     public function updateAdminUser(array $aUser): User
     {
+        if (
+            !App()->getRequest()->getIsPostRequest()
+            && !(defined('PHP_ENV') && PHP_ENV == 'test') // For unit test
+        ) {
+            throw new CHttpException(400, gT('Your request is invalid.'));
+        }
         $oUser = $this->loadModel($aUser['uid']);
         // Abort if logged in user has no access to this user.
         // Using same logic as User::getButtons().
@@ -1416,6 +1438,9 @@ private function createAdminUser(array $aUser, bool $sendEmail = true): array
      */
     public function createNewUser(array $aUser): array
     {
+        if (!App()->getRequest()->getIsPostRequest()) {
+            throw new CHttpException(400, gT('Your request is invalid.'));
+        }
         if (!Permission::model()->hasGlobalPermission('users', 'create')) {
             return Yii::app()->getController()->renderPartial('/admin/super/_renderJson', [
                 "data" => [