Skip to content

Commit

Permalink
[TASK] Integrate security update from version 7.1
Browse files Browse the repository at this point in the history
  • Loading branch information
tinzog committed Jan 23, 2023
1 parent cc40e78 commit d2dd633
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 11 deletions.
36 changes: 25 additions & 11 deletions Classes/Controller/InvitationController.php
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
use In2code\Femanager\Utility\LocalizationUtility;
use In2code\Femanager\Utility\StringUtility;
use In2code\Femanager\Utility\UserUtility;
use TYPO3\CMS\Core\Messaging\AbstractMessage;
use TYPO3\CMS\Core\Messaging\FlashMessage;
use TYPO3\CMS\Core\Utility\GeneralUtility;

Expand Down Expand Up @@ -127,6 +128,19 @@ public function createAllConfirmed(User $user)
public function editAction($user, $hash = null)
{
$user = $this->userRepository->findByUid($user);

// User must exist and hash must be valid
if ($user === null || !HashUtility::validHash($hash, $user)) {
$this->addFlashMessage(LocalizationUtility::translate('createFailedProfile'), '', AbstractMessage::ERROR);
$this->redirect('status');
}

// User must not be deleted (deleted = 0) and not be activated (disable = 1)
if ($user->getDisable() == 0) {
$this->addFlashMessage(LocalizationUtility::translate('userAlreadyConfirmed'), '', AbstractMessage::ERROR);
$this->redirect('status');
}

$user->setDisable(false);
$this->userRepository->update($user);
$this->persistenceManager->persistAll();
Expand All @@ -140,27 +154,27 @@ public function editAction($user, $hash = null)
]
);

if (!HashUtility::validHash($hash, $user)) {
if ($user !== null) {
// delete user for security reasons
$this->userRepository->remove($user);
}
$this->addFlashMessage(LocalizationUtility::translate('createFailedProfile'), '', FlashMessage::ERROR);
$this->forward('status');
}

$this->assignForAll();
}

/**
* action update
*
* @param \In2code\Femanager\Domain\Model\User $user
* @param string $hash
* @TYPO3\CMS\Extbase\Annotation\Validate("In2code\Femanager\Domain\Validator\ServersideValidator", param="user")
* @TYPO3\CMS\Extbase\Annotation\Validate("In2code\Femanager\Domain\Validator\PasswordValidator", param="user")
*/
public function updateAction($user)
public function updateAction($user, $hash = null)
{
if (!HashUtility::validHash($hash, $user)) {
$this->addFlashMessage(
LocalizationUtility::translateByState(Log::STATUS_PROFILEUPDATEREFUSEDSECURITY),
'',
AbstractMessage::ERROR
);
$this->redirect('status');
}
$this->addFlashMessage(LocalizationUtility::translate('createAndInvitedFinished'));
$this->logUtility->log(Log::STATUS_INVITATIONPROFILEENABLED, $user);
if ($this->settings['invitation']['notifyAdmin']) {
Expand Down Expand Up @@ -205,7 +219,7 @@ public function deleteAction($user, $hash = null)
{
$user = $this->userRepository->findByUid($user);

if (HashUtility::validHash($hash, $user)) {
if ($user !== null && HashUtility::validHash($hash, $user)) {
$this->logUtility->log(Log::STATUS_PROFILEDELETE, $user);
$this->addFlashMessage(LocalizationUtility::translateByState(Log::STATUS_INVITATIONPROFILEDELETEDUSER));

Expand Down
3 changes: 3 additions & 0 deletions Resources/Private/Templates/Invitation/Edit.html
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@
action="update"
additionalAttributes="{data-femanager-plugin:data.uid}"
class="form-horizontal {f:if(condition:'{settings.invitation.validation._enable.client}',then:'feManagerValidation',else:'')}">

<f:form.hidden name="hash" value="{hash}"/>

<fieldset>
<legend>
<f:translate key="titleInvitationSetPassword" />
Expand Down

0 comments on commit d2dd633

Please sign in to comment.