mirror of
https://github.com/pandorafms/pandorafms.git
synced 2025-07-28 00:04:37 +02:00
Fix users vulnerabilities
This commit is contained in:
Calvo
parent
a4d7653cf9
commit
036e2e3d6c
@ -324,6 +324,16 @@ if ($create_user) {
|
||||
|
||||
$user_is_admin = (int) get_parameter('is_admin', 0);
|
||||
|
||||
if (users_is_admin() === false && $user_is_admin !== 0) {
|
||||
db_pandora_audit(
|
||||
AUDIT_LOG_ACL_VIOLATION,
|
||||
'Trying to create with administrator privileges to user by non administrator user '.$config['id_user'],
|
||||
);
|
||||
|
||||
include 'general/noaccess.php';
|
||||
exit;
|
||||
}
|
||||
|
||||
$values = [];
|
||||
$values['id_user'] = (string) get_parameter('id_user');
|
||||
$values['fullname'] = (string) get_parameter('fullname');
|
||||
@ -538,6 +548,16 @@ if ($update_user) {
|
||||
$values['default_event_filter'] = (int) get_parameter('default_event_filter');
|
||||
$values['default_custom_view'] = (int) get_parameter('default_custom_view');
|
||||
|
||||
if (users_is_admin() === false && (bool) $values['is_admin'] !== false) {
|
||||
db_pandora_audit(
|
||||
AUDIT_LOG_ACL_VIOLATION,
|
||||
'Trying to add administrator privileges to user by non administrator user '.$config['id_user'],
|
||||
);
|
||||
|
||||
include 'general/noaccess.php';
|
||||
exit;
|
||||
}
|
||||
|
||||
// eHorus user level conf.
|
||||
$values['ehorus_user_level_enabled'] = (bool) get_parameter('ehorus_user_level_enabled', false);
|
||||
$values['ehorus_user_level_user'] = (string) get_parameter('ehorus_user_level_user');
|
||||
|
||||
@ -260,9 +260,21 @@ if (is_metaconsole() === true) {
|
||||
|
||||
|
||||
$disable_user = get_parameter('disable_user', false);
|
||||
if ((bool) get_parameter('user_del', false) === true) {
|
||||
$delete_user = (bool) get_parameter('user_del', false);
|
||||
|
||||
if ($delete_user === true) {
|
||||
// Delete user.
|
||||
$id_user = get_parameter('delete_user', 0);
|
||||
if (users_is_admin($id_user) === true && users_is_admin() === false) {
|
||||
db_pandora_audit(
|
||||
AUDIT_LOG_ACL_VIOLATION,
|
||||
'Trying to delete admininstrator user by non administrator user '.$config['id_user'],
|
||||
);
|
||||
|
||||
include 'general/noaccess.php';
|
||||
exit;
|
||||
}
|
||||
|
||||
// Only allow delete user if is not the actual user.
|
||||
if ($id_user != $config['id_user']) {
|
||||
$user_row = users_get_user_by_id($id_user);
|
||||
@ -332,6 +344,16 @@ if ((bool) get_parameter('user_del', false) === true) {
|
||||
// Disable_user.
|
||||
$id_user = get_parameter('id', 0);
|
||||
|
||||
if (users_is_admin($id_user) === true && users_is_admin() === false) {
|
||||
db_pandora_audit(
|
||||
AUDIT_LOG_ACL_VIOLATION,
|
||||
'Trying to disable admininstrator user by non administrator user '.$config['id_user'],
|
||||
);
|
||||
|
||||
include 'general/noaccess.php';
|
||||
exit;
|
||||
}
|
||||
|
||||
if ($id_user !== 0) {
|
||||
$result = users_disable($id_user, $disable_user);
|
||||
} else {
|
||||
@ -353,20 +375,20 @@ if ((bool) get_parameter('user_del', false) === true) {
|
||||
}
|
||||
}
|
||||
|
||||
$filter_group = (int) get_parameter('filter_group', 0);
|
||||
$filter_search = get_parameter('filter_search', '');
|
||||
$search = (bool) get_parameter('search', false);
|
||||
$filter_group = (int) get_parameter('filter_group', 0);
|
||||
$filter_search = get_parameter('filter_search', '');
|
||||
$search = (bool) get_parameter('search', false);
|
||||
|
||||
if (($filter_group == 0) && ($filter_search == '')) {
|
||||
$search = false;
|
||||
}
|
||||
|
||||
$table = new stdClass();
|
||||
$table->width = '100%';
|
||||
$table->class = 'databox filters';
|
||||
$table->rowclass[0] = '';
|
||||
$table->data[0][0] = '<b>'.__('Group').'</b>';
|
||||
$table->data[0][1] = html_print_select_groups(
|
||||
$table = new stdClass();
|
||||
$table->width = '100%';
|
||||
$table->class = 'databox filters';
|
||||
$table->rowclass[0] = '';
|
||||
$table->data[0][0] = '<b>'.__('Group').'</b>';
|
||||
$table->data[0][1] = html_print_select_groups(
|
||||
false,
|
||||
'AR',
|
||||
true,
|
||||
@ -376,26 +398,26 @@ $table->data[0][1] = html_print_select_groups(
|
||||
'',
|
||||
0,
|
||||
true
|
||||
);
|
||||
$table->data[0][2] = '<b>'.__('Search').'</b>'.ui_print_help_tip(__('Search by username, fullname or email'), true);
|
||||
$table->data[0][3] = html_print_input_text(
|
||||
);
|
||||
$table->data[0][2] = '<b>'.__('Search').'</b>'.ui_print_help_tip(__('Search by username, fullname or email'), true);
|
||||
$table->data[0][3] = html_print_input_text(
|
||||
'filter_search',
|
||||
$filter_search,
|
||||
__('Search by username, fullname or email'),
|
||||
30,
|
||||
90,
|
||||
true
|
||||
);
|
||||
$table->data[0][4] = html_print_submit_button(
|
||||
);
|
||||
$table->data[0][4] = html_print_submit_button(
|
||||
__('Search'),
|
||||
'search',
|
||||
false,
|
||||
['class' => 'sub search'],
|
||||
true
|
||||
);
|
||||
);
|
||||
|
||||
$is_management_allowed = true;
|
||||
if (is_metaconsole() === false && is_management_allowed() === false) {
|
||||
$is_management_allowed = true;
|
||||
if (is_metaconsole() === false && is_management_allowed() === false) {
|
||||
$is_management_allowed = false;
|
||||
if (is_metaconsole() === false) {
|
||||
$url = '<a target="_blank" href="'.ui_get_meta_url(
|
||||
@ -411,16 +433,16 @@ if (is_metaconsole() === false && is_management_allowed() === false) {
|
||||
$url
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (is_metaconsole() === true) {
|
||||
if (is_metaconsole() === true) {
|
||||
$table->width = '96%';
|
||||
$form_filter = "<form class='filters_form' method='post'>";
|
||||
$form_filter .= html_print_table($table, true);
|
||||
$form_filter .= '</form>';
|
||||
ui_toggle($form_filter, __('Show Options'));
|
||||
} else {
|
||||
} else {
|
||||
$form_filter = "<form method='post'>";
|
||||
$form_filter .= html_print_table($table, true);
|
||||
$form_filter .= '</form>';
|
||||
@ -431,54 +453,54 @@ if (is_metaconsole() === true) {
|
||||
'',
|
||||
!$search
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// Urls to sort the table.
|
||||
$url_up_id = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=id_user&sort=up&pure='.$pure;
|
||||
$url_down_id = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=id_user&sort=down&pure='.$pure;
|
||||
$url_up_name = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=fullname&sort=up&pure='.$pure;
|
||||
$url_down_name = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=fullname&sort=down&pure='.$pure;
|
||||
$url_up_last = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=last_connect&sort=up&pure='.$pure;
|
||||
$url_down_last = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=last_connect&sort=down&pure='.$pure;
|
||||
// Urls to sort the table.
|
||||
$url_up_id = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=id_user&sort=up&pure='.$pure;
|
||||
$url_down_id = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=id_user&sort=down&pure='.$pure;
|
||||
$url_up_name = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=fullname&sort=up&pure='.$pure;
|
||||
$url_down_name = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=fullname&sort=down&pure='.$pure;
|
||||
$url_up_last = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=last_connect&sort=up&pure='.$pure;
|
||||
$url_down_last = '?sec='.$sec.'&sec2=godmode/users/user_list&sort_field=last_connect&sort=down&pure='.$pure;
|
||||
|
||||
|
||||
$table = new stdClass();
|
||||
$table->cellpadding = 0;
|
||||
$table->cellspacing = 0;
|
||||
$table->width = '100%';
|
||||
$table->class = 'info_table';
|
||||
$table = new stdClass();
|
||||
$table->cellpadding = 0;
|
||||
$table->cellspacing = 0;
|
||||
$table->width = '100%';
|
||||
$table->class = 'info_table';
|
||||
|
||||
$table->head = [];
|
||||
$table->data = [];
|
||||
$table->align = [];
|
||||
$table->size = [];
|
||||
$table->valign = [];
|
||||
$table->head = [];
|
||||
$table->data = [];
|
||||
$table->align = [];
|
||||
$table->size = [];
|
||||
$table->valign = [];
|
||||
|
||||
$table->head[0] = __('User ID').ui_get_sorting_arrows($url_up_id, $url_down_id, $selectUserIDUp, $selectUserIDDown);
|
||||
$table->head[1] = __('Name').ui_get_sorting_arrows($url_up_name, $url_down_name, $selectFullnameUp, $selectFullnameDown);
|
||||
$table->head[2] = __('Last contact').ui_get_sorting_arrows($url_up_last, $url_down_last, $selectLastConnectUp, $selectLastConnectDown);
|
||||
$table->head[0] = __('User ID').ui_get_sorting_arrows($url_up_id, $url_down_id, $selectUserIDUp, $selectUserIDDown);
|
||||
$table->head[1] = __('Name').ui_get_sorting_arrows($url_up_name, $url_down_name, $selectFullnameUp, $selectFullnameDown);
|
||||
$table->head[2] = __('Last contact').ui_get_sorting_arrows($url_up_last, $url_down_last, $selectLastConnectUp, $selectLastConnectDown);
|
||||
|
||||
$table->head[3] = __('Admin');
|
||||
$table->head[4] = __('Profile / Group');
|
||||
$table->head[5] = __('Description');
|
||||
if ($is_management_allowed === true) {
|
||||
$table->head[3] = __('Admin');
|
||||
$table->head[4] = __('Profile / Group');
|
||||
$table->head[5] = __('Description');
|
||||
if ($is_management_allowed === true) {
|
||||
$table->head[6] = '<span title="Operations">'.__('Op.').'</span>';
|
||||
}
|
||||
}
|
||||
|
||||
if (is_metaconsole() === false) {
|
||||
if (is_metaconsole() === false) {
|
||||
$table->align[2] = '';
|
||||
$table->size[2] = '150px';
|
||||
}
|
||||
}
|
||||
|
||||
$table->align[3] = 'left';
|
||||
$table->align[3] = 'left';
|
||||
|
||||
if (is_metaconsole() === true) {
|
||||
if (is_metaconsole() === true) {
|
||||
$table->size[6] = '110px';
|
||||
} else {
|
||||
} else {
|
||||
$table->size[6] = '85px';
|
||||
}
|
||||
}
|
||||
|
||||
if (is_metaconsole() === false) {
|
||||
if (is_metaconsole() === false) {
|
||||
$table->valign[0] = 'top';
|
||||
$table->valign[1] = 'top';
|
||||
$table->valign[2] = 'top';
|
||||
@ -486,15 +508,15 @@ if (is_metaconsole() === false) {
|
||||
$table->valign[4] = 'top';
|
||||
$table->valign[5] = 'top';
|
||||
$table->valign[6] = 'top';
|
||||
}
|
||||
}
|
||||
|
||||
$info1 = [];
|
||||
$info1 = [];
|
||||
|
||||
$user_is_admin = users_is_admin();
|
||||
$user_is_admin = users_is_admin();
|
||||
|
||||
if ($user_is_admin) {
|
||||
if ($user_is_admin) {
|
||||
$info1 = get_users($order);
|
||||
} else {
|
||||
} else {
|
||||
$group_um = users_get_groups_UM($config['id_user']);
|
||||
// 0 is the group 'all'.
|
||||
if (isset($group_um[0])) {
|
||||
@ -504,10 +526,10 @@ if ($user_is_admin) {
|
||||
$info1 = array_merge($info1, users_get_users_by_group($group, $value));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Filter the users.
|
||||
if ($search) {
|
||||
// Filter the users.
|
||||
if ($search) {
|
||||
foreach ($info1 as $iterator => $user_info) {
|
||||
$found = false;
|
||||
|
||||
@ -543,20 +565,20 @@ if ($search) {
|
||||
unset($info1[$iterator]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$info = $info1;
|
||||
$info = $info1;
|
||||
|
||||
// Prepare pagination.
|
||||
ui_pagination(count($info));
|
||||
// Prepare pagination.
|
||||
ui_pagination(count($info));
|
||||
|
||||
$offset = (int) get_parameter('offset');
|
||||
$limit = (int) $config['block_size'];
|
||||
$offset = (int) get_parameter('offset');
|
||||
$limit = (int) $config['block_size'];
|
||||
|
||||
$rowPair = true;
|
||||
$iterator = 0;
|
||||
$cont = 0;
|
||||
foreach ($info as $user_id => $user_info) {
|
||||
$rowPair = true;
|
||||
$iterator = 0;
|
||||
$cont = 0;
|
||||
foreach ($info as $user_id => $user_info) {
|
||||
if (!$user_is_admin && $user_info['is_admin']) {
|
||||
// If user is not admin then don't display admin users.
|
||||
continue;
|
||||
@ -835,14 +857,14 @@ foreach ($info as $user_id => $user_info) {
|
||||
}
|
||||
|
||||
array_push($table->data, $data);
|
||||
}
|
||||
}
|
||||
|
||||
html_print_table($table);
|
||||
ui_pagination(count($info), false, 0, 0, false, 'offset', true, 'pagination-bottom');
|
||||
html_print_table($table);
|
||||
ui_pagination(count($info), false, 0, 0, false, 'offset', true, 'pagination-bottom');
|
||||
|
||||
echo '<div style="width: '.$table->width.'" class="action-buttons">';
|
||||
unset($table);
|
||||
if ($is_management_allowed === true) {
|
||||
echo '<div style="width: '.$table->width.'" class="action-buttons">';
|
||||
unset($table);
|
||||
if ($is_management_allowed === true) {
|
||||
if ($config['admin_can_add_user'] !== false) {
|
||||
echo '<form method="post" action="index.php?sec='.$sec.'&sec2=godmode/users/configure_user&pure='.$pure.'">';
|
||||
html_print_input_hidden('new_user', 1);
|
||||
@ -851,13 +873,13 @@ if ($is_management_allowed === true) {
|
||||
} else {
|
||||
echo '<i>'.__("The current authentication scheme doesn't support creating users on %s", get_product_name()).'</i>';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
echo '</div>';
|
||||
echo '</div>';
|
||||
|
||||
enterprise_hook('close_meta_frame');
|
||||
enterprise_hook('close_meta_frame');
|
||||
|
||||
echo '<script type="text/javascript">
|
||||
echo '<script type="text/javascript">
|
||||
function showGroups(){
|
||||
var groups_list = document.getElementById("groups_list");
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user