Skip to content
Permalink
Browse files Browse the repository at this point in the history
SOAP API: apply access control to mci_account_get_array_by_id
The access controls are the same as the ones applied by
view_user_page.php, with the single addition of making the info
available if the user requests their own information.

This preserves the behaviour of the mc_login method call.

Fixes #17243 (leak of user personal information)

Signed-off-by: Damien Regad <dregad@mantisbt.org>
  • Loading branch information
rombert authored and dregad committed Nov 15, 2014
1 parent b509ab3 commit f779e3d
Showing 1 changed file with 23 additions and 6 deletions.
29 changes: 23 additions & 6 deletions api/soap/mc_account_api.php
Expand Up @@ -33,17 +33,34 @@ function mci_account_get_array_by_id( $p_user_id ) {
$t_result['id'] = $p_user_id;

if( user_exists( $p_user_id ) ) {

$t_current_user_id = auth_get_current_user_id();
$t_access_level = user_get_field ( $t_current_user_id, 'access_level' );
$t_can_manage = access_has_global_level( config_get( 'manage_user_threshold' ) ) &&
access_has_global_level( $t_access_level );

# this deviates from the behaviour of view_user_page.php, but it is more intuitive
$t_is_same_user = $t_current_user_id === $p_user_id;

$t_can_see_realname = access_has_project_level( config_get( 'show_user_realname_threshold' ) );
$t_can_see_email = access_has_project_level( config_get( 'show_user_email_threshold' ) );

$t_result['name'] = user_get_field( $p_user_id, 'username' );
$t_dummy = user_get_field( $p_user_id, 'realname' );

if( !empty( $t_dummy ) ) {
$t_result['real_name'] = $t_dummy;
if ( $t_is_same_user || $t_can_manage || $t_can_see_realname ) {
$t_realname = user_get_realname( $p_user_id );

if( !empty( $t_realname ) ) {
$t_result['real_name'] = $t_realname;
}
}

$t_dummy = user_get_field( $p_user_id, 'email' );
if ( $t_is_same_user || $t_can_manage || $t_can_see_email ) {
$t_email = user_get_email( $p_user_id );

if( !empty( $t_dummy ) ) {
$t_result['email'] = $t_dummy;
if( !empty( $t_email ) ) {
$t_result['email'] = $t_email;
}
}
}
return $t_result;
Expand Down

0 comments on commit f779e3d

Please sign in to comment.