Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When editing current user, last administrator may be removed #4577

Closed
TheWitness opened this issue Feb 27, 2022 · 1 comment
Closed

When editing current user, last administrator may be removed #4577

TheWitness opened this issue Feb 27, 2022 · 1 comment
Labels
bug Undesired behaviour
Milestone

Comments

@TheWitness
Copy link
Member

Describe the bug

Cacti allows you to disable the currently logged in user, thus kicking your out of Cacti.

Expected behavior

Less Cacti bugs.

@TheWitness TheWitness added the bug Undesired behaviour label Feb 27, 2022
@TheWitness TheWitness added this to the v1.2.20 milestone Feb 27, 2022
@TheWitness TheWitness changed the title Cacti allows you to disable the currently logged in administrator disabling the user Cacti allows you to disable or delete the currently logged in administrator disabling the user Feb 27, 2022
TheWitness added a commit that referenced this issue Feb 27, 2022
#4578, #4574

-security#4576: Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks
-security#4579: Cacti account lockout policies are not properly applied to LDAP and Domain Users
-issue#4573: The Cacti permission system does not scale to very large installations
-issue#4575: When you delete a user, their 'remember me' cookie data is not automatically removed
-issue#4576: Stored XSS Issue in Cacti Device, Graph, Graph Template, and Graph Items callbacks
-issue#4577: Cacti allows you to disable the currently logged in administrator disabling the user
-issue#4578: The Cacti login algorithm is complicated to understand due to too much strait line code
-feature#4574: Cacti needs some additional permission methods for larger installations

This change properly documents the file lib/auth.php using phpDocument format, and performed multiple sanity and readability changes such as the renaming of variables commonly used in multiple functions.

The the restructuring of the three authentication files:

- auth_login.php
- include/auth.php
- lib/auth.php

Makes the code more readable, it's not a complete solution, however, it is much easier to follow now.
@netniV
Copy link
Member

netniV commented Feb 28, 2022

Shouldn't this go further and block editing of your own user for most things ?

@netniV netniV changed the title Cacti allows you to disable or delete the currently logged in administrator disabling the user When editing current user, last administrator may be removed Apr 3, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Dec 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Undesired behaviour
Projects
None yet
Development

No branches or pull requests

2 participants