Skip to content

Commit

Permalink
Fixed issue #19118: [security] Improper permission management on bulk…
Browse files Browse the repository at this point in the history 
… actions (#3580)
  • Loading branch information
@Shnoulle
Shnoulle committed Nov 6, 2023
1 parent 5518eaf commit fbd4724
Showing 1 changed file with 60 additions and 59 deletions.
119 changes: 60 additions & 59 deletions application/controllers/UserManagementController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1018,21 +1018,23 @@ public function actionBatchSendAndResetLoginData()
$aResults[$user]['title'] = $oUser->users_name;
//User should not reset and resend email to himself throw massive action
if ($oUser->uid == Yii::app()->user->id) {
$aResults[$user]['result'] = false;
$aResults[$user]['error'] = gT("Error! Please change your password from your profile settings.");
} else {
//not modify original superuser
if ($oUser->uid == 1) {
$aResults[$user]['error'] = gT("Error! You do not have the permission to edit this user.");
} else {
$passwordManagement = new \LimeSurvey\Models\Services\PasswordManagement($oUser);
$successData = $passwordManagement->sendPasswordLinkViaEmail(\LimeSurvey\Models\Services\PasswordManagement::EMAIL_TYPE_RESET_PW);
$success = $successData['success'];
if (!$success) {
$aResults[$user]['error'] = sprintf(gT("Error: New password could not be sent to %s"), $oUser->email);
}
$aResults[$user]['result'] = $success;
}
continue;
}
$userManager = new UserManager(Yii::app()->user, $oUser);
if (!$userManager->canEdit()) {
$aResults[$user]['result'] = false;
$aResults[$user]['error'] = gT("Error! You do not have the permission to edit this user.");
continue;
}
$passwordManagement = new \LimeSurvey\Models\Services\PasswordManagement($oUser);
$successData = $passwordManagement->sendPasswordLinkViaEmail(\LimeSurvey\Models\Services\PasswordManagement::EMAIL_TYPE_RESET_PW);
$success = $successData['success'];
if (!$success) {
$aResults[$user]['error'] = sprintf(gT("Error: New password could not be sent to %s"), $oUser->email);
}
$aResults[$user]['result'] = $success;
}

$tableLabels = array(gT('User ID'), gT('Username'), gT('Status'));
Expand Down Expand Up @@ -1066,8 +1068,22 @@ public function actionBatchPermissions()
$aPermissions = Yii::app()->request->getPost('Permission', []);
$results = [];
foreach ($userIds as $iUserId) {
$aPermissionsResults = $this->applyPermissionFromArray($iUserId, $aPermissions);
$oUser = User::model()->findByPk($iUserId);
$results[$iUserId] = [
'title' => $oUser->users_name
];
if ($oUser->uid == Yii::app()->user->id) {
$aResults[$user]['result'] = false;
$aResults[$user]['error'] = gT("You can not update your own permission.");
continue;
}
$userManager = new UserManager(Yii::app()->user, $oUser);
if (!$userManager->canAssignPermissions()) {
$results[$iUserId]['result'] = false;
$results[$iUserId]['error'] = gT("You are not allowed to assign permissions to this user.");
continue;
}
$aPermissionsResults = $this->applyPermissionFromArray($iUserId, $aPermissions);
$oUser->modified = date('Y-m-d H:i:s');
$results[$iUserId]['result'] = $oUser->save();
$results[$iUserId]['title'] = $oUser->users_name;
Expand Down Expand Up @@ -1104,47 +1120,29 @@ public function actionBatchPermissions()
public function actionBatchAddGroup()
{
if (!Permission::model()->hasGlobalPermission('users', 'update')) {
return $this->renderPartial(
'partial/error',
['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true]
);
throw new CHttpException(403, gT("You do not have permission to access this page."));
}
$aItems = json_decode(Yii::app()->request->getPost('sItems', '')) ?? [];
$iUserGroupId = Yii::app()->request->getPost('addtousergroup');

if ($iUserGroupId) {
$oUserGroup = UserGroup::model()->findByPk($iUserGroupId);
/* check if have permission */
if (
Permission::model()->hasGlobalPermission('usergroups', 'update') /* Global update permission @see UserGroupController->actionEdit */
|| $oUserGroup->requestEditGroup($oUserGroup->ugid, Yii::app()->session['loginID']) /* This user group permission */
) {
$aResults = [];
foreach ($aItems as $sItem) {
$aResults[$sItem]['title'] = '';
$model = $this->loadModel($sItem);
$aResults[$sItem]['title'] = $model->users_name;
if (!$oUserGroup->hasUser($sItem)) {
$aResults[$sItem]['result'] = $oUserGroup->addUser($sItem);
} else {
$aResults[$sItem]['result'] = false;
$aResults[$sItem]['error'] = gT('User is already a member of the group.');
}
}
$iUserGroupId = App()->request->getPost('addtousergroup');
$oUserGroup = UserGroup::model()->findByPk($iUserGroupId);
if (!$oUserGroup) {
throw new CHttpException(404, gT("Group not found"));
}
/* check if have permission */
if (!Permission::model()->hasGlobalPermission('superadmin', 'read') && $oUserGroup->requestEditGroup($oUserGroup->ugid, App()->getCurrentUserId())) {
throw new CHttpException(403, gT("You do not have permission to access this page."));
}

$aResults = [];
foreach ($aItems as $sItem) {
$aResults[$sItem]['title'] = '';
$model = $this->loadModel($sItem);
$aResults[$sItem]['title'] = $model->users_name;
if (!$oUserGroup->hasUser($sItem)) {
$aResults[$sItem]['result'] = $oUserGroup->addUser($sItem);
} else {
$aResults[0] = [
'title' => gT("All"),
'result' => false,
'error' => gT('You don\'t have permission on this group.')
];
}
} else {
foreach ($aItems as $sItem) {
$aResults[$sItem]['title'] = '';
$model = $this->loadModel($sItem);
$aResults[$sItem]['title'] = $model->users_name;
$aResults[$sItem]['result'] = false;
$aResults[$sItem]['error'] = gT('No user group selected.');
$aResults[$sItem]['error'] = gT('User is already a member of the group.');
}
}

Expand All @@ -1169,11 +1167,8 @@ public function actionBatchAddGroup()
public function actionBatchApplyRoles()
{
/* Need super admin roles */
if (!Permission::model()->hasGlobalPermission('superadmin')) {
return $this->renderPartial(
'partial/error',
['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true]
);
if (!Permission::model()->hasGlobalPermission('superadmin', 'create')) {
throw new CHttpException(403, gT("You do not have permission to access this page."));
}
$aItems = json_decode(Yii::app()->request->getPost('sItems', '')) ?? [];
$aUserRoleIds = Yii::app()->request->getPost('roleselector');
Expand All @@ -1183,16 +1178,22 @@ public function actionBatchApplyRoles()
$aResults[$sItem]['title'] = '';
$model = $this->loadModel($sItem);
$aResults[$sItem]['title'] = $model->users_name;
if (Permission::isForcedSuperAdmin($sItem)) {
/* Show an error for forced super admin, this don't disable for DB superadmin */
if ($model->uid == Yii::app()->user->id) {
$aResults[$user]['result'] = false;
$aResults[$user]['error'] = gT("You can not update your own roles.");
continue;
}
$userManager = new UserManager(Yii::app()->user, $model);
if (!$userManager->canAssignRole()) {
$aResults[$sItem]['result'] = false;
$aResults[$sItem]['error'] = gT('The superadmin role cannot be changed.');
$aResults[$sItem]['error'] = gT('You can not set role to this user.');
} else {
foreach ($aUserRoleIds as $iUserRoleId) {
$aResults[$sItem]['result'] = Permissiontemplates::model()->applyToUser($sItem, $iUserRoleId);
}
}
}

$tableLabels = array(gT('User ID'), gT('Username'), gT('Status'));

Yii::app()->getController()->renderPartial(
Expand Down

0 comments on commit fbd4724

Please sign in to comment.