security breach on action case insensitivity

alterphp · Oct 1, 2018 · 68407ca · 68407ca · BackEndTea · Oct 2, 2018
1 parent afa2f42
commit 68407ca
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/src/Security/AdminAuthorizationChecker.php b/src/Security/AdminAuthorizationChecker.php
@@ -62,6 +62,9 @@ public function isEasyAdminGranted(array $entityConfig, string $actionName, $sub
 
     protected function getRequiredRole(array $entityConfig, string $actionName)
     {
+        // Prevent from security breach: role for 'list' action was not required for 'List' nor 'LIST'...
+        $actionName = strtolower($actionName);
+
         if (isset($entityConfig[$actionName]) && isset($entityConfig[$actionName]['role'])) {
             return $entityConfig[$actionName]['role'];
         } elseif (isset($entityConfig['role_prefix'])) {

diff --git a/tests/Controller/UserRolesTest.php b/tests/Controller/UserRolesTest.php
@@ -191,4 +191,51 @@ public function testAdminGroupRolesFormMayDisplay()
             $crawler->filter('form#edit-admingroup-form .field-easyadmin_admin_roles input[type="checkbox"]')->count()
         );
     }
+
+    public function testEntityActionsAreForbiddenOnCaseInsensitiveSpecificRoles()
+    {
+        $this->logIn(['ROLE_ADMIN']);
+
+        $this->client->followRedirects();
+
+        // Edit
+        $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'edit', 'id' => 1]);
+        $this->assertSame(403, $this->client->getResponse()->getStatusCode());
+        $this->assertSame(
+            'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
+            trim($crawler->filterXPath('//head/title')->text())
+        );
+        $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'Edit', 'id' => 1]);
+        $this->assertSame(403, $this->client->getResponse()->getStatusCode());
+        $this->assertSame(
+            'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
+            trim($crawler->filterXPath('//head/title')->text())
+        );
+        $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'EDIT', 'id' => 1]);
+        $this->assertSame(403, $this->client->getResponse()->getStatusCode());
+        $this->assertSame(
+            'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
+            trim($crawler->filterXPath('//head/title')->text())
+        );
+
+        // Show
+        $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'show', 'id' => 1]);
+        $this->assertSame(403, $this->client->getResponse()->getStatusCode());
+        $this->assertSame(
+            'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
+            trim($crawler->filterXPath('//head/title')->text())
+        );
+        $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'Show', 'id' => 1]);
+        $this->assertSame(403, $this->client->getResponse()->getStatusCode());
+        $this->assertSame(
+            'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
+            trim($crawler->filterXPath('//head/title')->text())
+        );
+        $crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'SHOW', 'id' => 1]);
+        $this->assertSame(403, $this->client->getResponse()->getStatusCode());
+        $this->assertSame(
+            'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
+            trim($crawler->filterXPath('//head/title')->text())
+        );
+    }
 }