Skip to content

Commit f779e3d

Browse files
rombertdregad
authored andcommitted
SOAP API: apply access control to mci_account_get_array_by_id
The access controls are the same as the ones applied by view_user_page.php, with the single addition of making the info available if the user requests their own information. This preserves the behaviour of the mc_login method call. Fixes #17243 (leak of user personal information) Signed-off-by: Damien Regad <dregad@mantisbt.org>
1 parent b509ab3 commit f779e3d

File tree

1 file changed

+23
-6
lines changed

1 file changed

+23
-6
lines changed

Diff for: api/soap/mc_account_api.php

+23-6
Original file line numberDiff line numberDiff line change
@@ -33,17 +33,34 @@ function mci_account_get_array_by_id( $p_user_id ) {
3333
$t_result['id'] = $p_user_id;
3434

3535
if( user_exists( $p_user_id ) ) {
36+
37+
$t_current_user_id = auth_get_current_user_id();
38+
$t_access_level = user_get_field ( $t_current_user_id, 'access_level' );
39+
$t_can_manage = access_has_global_level( config_get( 'manage_user_threshold' ) ) &&
40+
access_has_global_level( $t_access_level );
41+
42+
# this deviates from the behaviour of view_user_page.php, but it is more intuitive
43+
$t_is_same_user = $t_current_user_id === $p_user_id;
44+
45+
$t_can_see_realname = access_has_project_level( config_get( 'show_user_realname_threshold' ) );
46+
$t_can_see_email = access_has_project_level( config_get( 'show_user_email_threshold' ) );
47+
3648
$t_result['name'] = user_get_field( $p_user_id, 'username' );
37-
$t_dummy = user_get_field( $p_user_id, 'realname' );
3849

39-
if( !empty( $t_dummy ) ) {
40-
$t_result['real_name'] = $t_dummy;
50+
if ( $t_is_same_user || $t_can_manage || $t_can_see_realname ) {
51+
$t_realname = user_get_realname( $p_user_id );
52+
53+
if( !empty( $t_realname ) ) {
54+
$t_result['real_name'] = $t_realname;
55+
}
4156
}
4257

43-
$t_dummy = user_get_field( $p_user_id, 'email' );
58+
if ( $t_is_same_user || $t_can_manage || $t_can_see_email ) {
59+
$t_email = user_get_email( $p_user_id );
4460

45-
if( !empty( $t_dummy ) ) {
46-
$t_result['email'] = $t_dummy;
61+
if( !empty( $t_email ) ) {
62+
$t_result['email'] = $t_email;
63+
}
4764
}
4865
}
4966
return $t_result;

0 commit comments

Comments
 (0)