Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] open endpoints should only be open when enabled
- as reported by Dawid Czarnecki from Zigrin Security
  • Loading branch information
iglocska committed Feb 3, 2022
1 parent 15190b9 commit a263234
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
6 changes: 5 additions & 1 deletion src/Controller/Open/IndividualsController.php
Expand Up @@ -11,13 +11,17 @@
use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Http\Exception\ForbiddenException;
use Cake\Event\EventInterface;
use Cake\Core\Configure;

class IndividualsController extends AppController
{
public function beforeFilter(EventInterface $event)
{
parent::beforeFilter($event);
$this->Authentication->allowUnauthenticated(['index']);
$open = Configure::read('Cerebrate.open');
if (!empty($open) && in_array('individuals', $open)) {
$this->Authentication->allowUnauthenticated(['index']);
}
}

public function index()
Expand Down
6 changes: 5 additions & 1 deletion src/Controller/Open/OrganisationsController.php
Expand Up @@ -10,13 +10,17 @@
use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Http\Exception\ForbiddenException;
use Cake\Event\EventInterface;
use Cake\Core\Configure;

class OrganisationsController extends AppController
{
public function beforeFilter(EventInterface $event)
{
parent::beforeFilter($event);
$this->Authentication->allowUnauthenticated(['index']);
$open = Configure::read('Cerebrate.open');
if (!empty($open) && in_array('organisations', $open)) {
$this->Authentication->allowUnauthenticated(['index']);
}
}

public function index()
Expand Down

0 comments on commit a263234

Please sign in to comment.