Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixed issue #18913: [security] incorrect permissions for useraction (#…
  • Loading branch information
ptelu committed Jun 28, 2023
1 parent 7f8efd3 commit 4824bc9
Show file tree
Hide file tree
Showing 2 changed files with 118 additions and 19 deletions.
2 changes: 1 addition & 1 deletion application/controllers/AjaxAlertController.php
Expand Up @@ -27,7 +27,7 @@ private function translateOptionsForWidget()
$customOptions = $request->getPost('customOptions', []);

$translatedOptions = [];
$translatedOptions['text'] = $request->getPost('message', 'Test');
$translatedOptions['text'] = $request->getPost('message', 'message');
$translatedOptions['type'] = $request->getPost('alertType', 'success');
$knownOptions = ['tag', 'isFilled', 'showIcon', 'showCloseButton', 'timeout'];
foreach ($knownOptions as $knownOption) {
Expand Down
135 changes: 117 additions & 18 deletions application/controllers/UserManagementController.php
Expand Up @@ -291,21 +291,85 @@ public function actionRunAddDummyUser()
*/
public function actionDeleteUser()
{
if (!Permission::model()->hasGlobalPermission('users', 'delete')) {
return $this->renderPartial(
'partial/error',
['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true]
);
$permission_users_delete = Permission::model()->hasGlobalPermission('users', 'delete');
$permission_superadmin_read = Permission::model()->hasGlobalPermission('superadmin', 'read');
if (!$permission_users_delete) {
return App()->getController()->renderPartial('/admin/super/_renderJson', [
'data' => [
'success' => false,
'errors' => gT("We are sorry but you don't have permissions to do this.")
]
]);
}
$userId = (int) Yii::app()->request->getPost('userid');
if ($userId == Yii::app()->user->id) {
$userId = (int) App()->request->getPost('userid');
$oUser = User::model()->findByPk($userId);
$currentUser = (int) App()->user->getId();
if (!$oUser) {
return App()->getController()->renderPartial('/admin/super/_renderJson', [
'data' => [
'success' => false,
'message' => gT("You cannot delete yourself.")
'errors' => gT("User does not exist")
]
]);
}
if ($permission_superadmin_read) {
// Can't delete forced superadmins
if (Permission::isForcedSuperAdmin($userId)) {
return App()->getController()->renderPartial('/admin/super/_renderJson', [
'data' => [
'success' => false,
'errors' => gT("We are sorry but you don't have permissions to do this.")
]
]);
}
// Can't delete yourself
if ($userId === $currentUser) {
return App()->getController()->renderPartial('/admin/super/_renderJson', [
'data' => [
'success' => false,
'errors' => gT("You cannot delete yourself.")
]
]);
}
}
if (!$permission_superadmin_read) {
// Can't delete yourself
if ($userId === $currentUser) {
return App()->getController()->renderPartial('/admin/super/_renderJson', [
'data' => [
'success' => false,
'errors' => gT("You cannot delete yourself.")
]
]);
}
// Dont have permission to delete users
if (!$permission_users_delete) {
return App()->getController()->renderPartial('/admin/super/_renderJson', [
'data' => [
'success' => false,
'errors' => gT("We are sorry but you don't have permissions to do this.")
]
]);
}
// Can't delete users that are not owned by the current user
if ((int) $oUser->parent_id !== $currentUser) {
return App()->getController()->renderPartial('/admin/super/_renderJson', [
'data' => [
'success' => false,
'errors' => gT("We are sorry but you don't have permissions to do this.")
]
]);
}
// Can't delete forced superadmins
if (Permission::isForcedSuperAdmin($userId)) {
return App()->getController()->renderPartial('/admin/super/_renderJson', [
'data' => [
'success' => false,
'errors' => gT("We are sorry but you don't have permissions to do this.")
]
]);
}
}

$message = '';
$transferTo = Yii::app()->request->getPost('transfer_surveys_to');
Expand Down Expand Up @@ -352,7 +416,6 @@ public function actionDeleteUser()
$message .= sprintf(gT("All participants owned by this user were transferred to %s."), $transferredToName) . " ";
}

$oUser = User::model()->findByPk($userId);
//todo REFACTORING user permissions should be deleted also ... (in table permissions)
$oUser->delete();
$message .= gT("User successfully deleted.");
Expand Down Expand Up @@ -1161,21 +1224,57 @@ public function actionTakeOwnership()
*/
public function deleteUser(int $uid): bool
{
if (!Permission::model()->hasGlobalPermission('users', 'delete')) {
return $this->renderPartial(
'partial/error',
['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true]
);
$permission_users_delete = Permission::model()->hasGlobalPermission('users', 'delete');
$permission_superadmin_read = Permission::model()->hasGlobalPermission('superadmin', 'read');
if (!$permission_users_delete) {
return false;
}

if ($uid == Yii::app()->user->id) {
$userId = $uid;
$oUser = User::model()->findByPk($userId);
$currentUser = (int)App()->user->getId();
if (!$oUser) {
return false;
}
if (Permission::isForcedSuperAdmin($uid)) {
if ($permission_superadmin_read) {
// Can't delete forced superadmins
if (Permission::isForcedSuperAdmin($userId)) {
return false;
}
// Can't delete yourself
if ($userId === $currentUser) {
return false;
}
}
if (!$permission_superadmin_read) {
// Can't delete yourself
if ($userId === $currentUser) {
return false;
}
// Dont have permission to delete users
if (!$permission_users_delete) {
return false;
}
// Can't delete users that are not owned by the current user
if ((int)$oUser->parent_id !== $currentUser) {
return false;
}
// Can't delete forced superadmins
if (Permission::isForcedSuperAdmin($userId)) {
return false;
}
}


// Check if user owns a survey
$aOwnedSurveys = Survey::model()->findAllByAttributes(['owner_id' => $userId]);
if (count($aOwnedSurveys)) {
return false;
}

$oUser = User::model()->findByPk($uid);
// Transfer any Participants owned by this user to site's admin
Participant::model()->updateAll(['owner_uid' => 1], 'owner_uid = :owner_uid', [':owner_uid' => $userId]);

//todo REFACTORING user permissions should be deleted also ... (in table permissions)
return $oUser->delete();
}

Expand Down

0 comments on commit 4824bc9

Please sign in to comment.