Skip to content
Permalink
Browse files
Fix CWE-269 - huntr - Fix set of email without edit user permission
  • Loading branch information
eldy committed May 24, 2021
1 parent 31af74f commit bb64a25638cdba35bba39b8cf44677529ca403b1
Showing with 45 additions and 39 deletions.
  1. +1 −1 htdocs/core/class/ldap.class.php
  2. +42 −36 htdocs/user/bank.php
  3. +2 −2 htdocs/user/card.php
@@ -932,7 +932,7 @@ public function getAttributeValues($filterrecord, $attribute)
* Returns an array containing a details or list of LDAP record(s)
* ldapsearch -LLLx -hlocalhost -Dcn=admin,dc=parinux,dc=org -w password -b "ou=adherents,ou=people,dc=parinux,dc=org" userPassword
*
* @param string $search Value of fiel to search, '*' for all. Not used if $activefilter is set.
* @param string $search Value of field to search, '*' for all. Not used if $activefilter is set.
* @param string $userDn DN (Ex: ou=adherents,ou=people,dc=parinux,dc=org)
* @param string $useridentifier Name of key field (Ex: uid)
* @param array $attributeArray Array of fields required. Note this array must also contains field $useridentifier (Ex: sn,userPassword)
@@ -59,24 +59,6 @@
$socid = $user->socid;
}
$feature2 = (($socid && $user->rights->user->self->creer) ? '' : 'user');
// Ok if user->rights->salaries->read or user->rights->hrm->read
//$result = restrictedArea($user, 'salaries|hrm', $id, 'user&user', $feature2);
$ok = false;
if ($user->id == $id) {
$ok = true; // A user can always read its own card
}
if (!empty($user->rights->salaries->read)) {
$ok = true;
}
if (!empty($user->rights->hrm->read)) {
$ok = true;
}
if (!empty($user->rights->expensereport->lire) && ($user->id == $object->id || $user->rights->expensereport->readall)) {
$ok = true;
}
if (!$ok) {
accessforbidden();
}

$object = new User($db);
if ($id > 0 || !empty($ref)) {
@@ -94,14 +76,37 @@
$account->userid = $object->id;
}


// Define value to know what current user can do on users
$canadduser = (!empty($user->admin) || $user->rights->user->user->creer);
$canreaduser = (!empty($user->admin) || $user->rights->user->user->lire);
$permissiontoaddbankaccount = (!empty($user->rights->salaries->write) || !empty($user->rights->hrm->employee->write) || !empty($user->rights->user->creer));

// Ok if user->rights->salaries->read or user->rights->hrm->read
//$result = restrictedArea($user, 'salaries|hrm', $id, 'user&user', $feature2);
$ok = false;
if ($user->id == $id) {
$ok = true; // A user can always read its own card
}
if (!empty($user->rights->salaries->read)) {
$ok = true;
}
if (!empty($user->rights->hrm->read)) {
$ok = true;
}
if (!empty($user->rights->expensereport->lire) && ($user->id == $object->id || $user->rights->expensereport->readall)) {
$ok = true;
}
if (!$ok) {
accessforbidden();
}


/*
* Actions
*/

if ($action == 'add' && !$cancel) {
if ($action == 'add' && !$cancel && $permissiontoaddbankaccount) {
$account->userid = $object->id;

$account->bank = GETPOST('bank', 'alpha');
@@ -128,7 +133,7 @@
}
}

if ($action == 'update' && !$cancel) {
if ($action == 'update' && !$cancel && $permissiontoaddbankaccount) {
$account->userid = $object->id;

/*
@@ -199,7 +204,7 @@
}

// update personal email
if ($action == 'setpersonal_email') {
if ($action == 'setpersonal_email' && $canadduser) {
$object->personal_email = (string) GETPOST('personal_email', 'alphanohtml');
$result = $object->update($user);
if ($result < 0) {
@@ -208,34 +213,35 @@
}

// update personal mobile
if ($action == 'setpersonal_mobile') {
if ($action == 'setpersonal_mobile' && $canadduser) {
$object->personal_mobile = (string) GETPOST('personal_mobile', 'alphanohtml');
$result = $object->update($user);
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
}
}

// update default_c_exp_tax_cat
if ($action == 'setdefault_c_exp_tax_cat') {
$object->default_c_exp_tax_cat = GETPOST('default_c_exp_tax_cat', 'int');
$result = $object->update($user);
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
if (!empty($conf->global->MAIN_USE_EXPENSE_IK)) {
// update default_c_exp_tax_cat
if ($action == 'setdefault_c_exp_tax_cat' && $canadduser) {
$object->default_c_exp_tax_cat = GETPOST('default_c_exp_tax_cat', 'int');
$result = $object->update($user);
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
}
}
}

// update default range
if ($action == 'setdefault_range') {
$object->default_range = GETPOST('default_range', 'int');
$result = $object->update($user);
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
// update default range
if ($action == 'setdefault_range' && $canadduser) {
$object->default_range = GETPOST('default_range', 'int');
$result = $object->update($user);
if ($result < 0) {
setEventMessages($object->error, $object->errors, 'errors');
}
}
}



/*
* View
*/
@@ -615,8 +615,8 @@
}

// Action initialisation donnees depuis record LDAP
if ($action == 'adduserldap') {
$selecteduser = $_POST['users'];
if ($action == 'adduserldap' && $canadduser) {
$selecteduser = GETPOST('users');

$required_fields = array(
$conf->global->LDAP_KEY_USERS,

0 comments on commit bb64a25

Please sign in to comment.