Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] user settings allow enumeration of usernames
- as reported by Dawid Czarnecki from Zigrin Security
  • Loading branch information
iglocska committed Feb 3, 2022
1 parent a263234 commit 88f3cc7
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions src/Controller/UserSettingsController.php
Expand Up @@ -36,9 +36,16 @@ public function index()
return $responsePayload;
}
if (!empty($this->request->getQuery('Users_id'))) {
$settingsForUser = $this->UserSettings->Users->find()->where([
$conditions = [
'id' => $this->request->getQuery('Users_id')
])->first();
];
if (empty($currentUser['role']['perm_admin'])) {
$conditions['organisation_id'] = $currentUser['organisation_id'];
}
$settingsForUser = $this->UserSettings->Users->find()->where($conditions)->first();
if (empty($settingsForUser)) {
throw new NotFoundException(__('Invalid {0}.', __('user')));
}
$this->set('settingsForUser', $settingsForUser);
}
}
Expand Down Expand Up @@ -233,7 +240,7 @@ public function deleteMyBookmark()
}

/**
* isLoggedUserAllowedToEdit
* isLoggedUserAllowedToEdit
*
* @param int|\App\Model\Entity\UserSetting $setting
* @return boolean
Expand Down

0 comments on commit 88f3cc7

Please sign in to comment.