From 22f151bc6da6f6c9f0260cfc6f41c6acb01a60ad Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Wed, 28 Apr 2021 17:01:50 +0200 Subject: [PATCH 1/2] fixed bug in users search --- .../operation/search_users.getdata.php | 39 +++++++------------ 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/pandora_console/operation/search_users.getdata.php b/pandora_console/operation/search_users.getdata.php index 99ca08ee68..9ba7ee24af 100644 --- a/pandora_console/operation/search_users.getdata.php +++ b/pandora_console/operation/search_users.getdata.php @@ -221,7 +221,18 @@ if ($searchUsers) { // Check ACLs $users_id = []; foreach ($users as $key => $user) { - if (!check_acl($config['id_user'], users_get_groups($user['id_user']), 'UM') && $config['id_user'] != $user['id_user']) { + $user_can_manage_all = users_can_manage_group_all('UM'); + + $user_groups = users_get_groups( + $user['id_user'], + 'AR', + $user_can_manage_all + ); + + // Get group IDs. + $user_groups = array_keys($user_groups); + + if (!check_acl_one_of_groups($config['id_user'], $user_groups, 'UM') && $config['id_user'] != $user['id_user']) { unset($users[$key]); } else { $users_id[] = $user['id_user']; @@ -229,33 +240,9 @@ if ($searchUsers) { } if ($only_count) { + $totalUsers = count($users); unset($users); } - - switch ($config['dbtype']) { - case 'mysql': - case 'postgresql': - $sql = "SELECT COUNT(id_user) AS count FROM tusuario - WHERE id_user LIKE '%".$stringSearchSQL."%' OR - fullname LIKE '%".$stringSearchSQL."%' OR - firstname LIKE '%".$stringSearchSQL."%' OR - lastname LIKE '%".$stringSearchSQL."%' OR - middlename LIKE '%".$stringSearchSQL."%' OR - email LIKE '%".$stringSearchSQL."%'"; - break; - - case 'oracle': - $sql = "SELECT COUNT(id_user) AS count FROM tusuario - WHERE upper(id_user) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(fullname) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(firstname) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(lastname) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(middlename) LIKE '%".strtolower($stringSearchSQL)."%' OR - upper(email LIKE) '%".strtolower($stringSearchSQL)."%'"; - break; - } - - $totalUsers = db_get_value_sql($sql); } else { $totalUsers = 0; } From 9513386ff7c52c7665b9253704612f499d91e34d Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Wed, 2 Jun 2021 12:47:55 +0200 Subject: [PATCH 2/2] prevent nonadmin users from viewing admin users in pandora search --- pandora_console/operation/search_users.getdata.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pandora_console/operation/search_users.getdata.php b/pandora_console/operation/search_users.getdata.php index 9ba7ee24af..76cf7792ea 100644 --- a/pandora_console/operation/search_users.getdata.php +++ b/pandora_console/operation/search_users.getdata.php @@ -232,7 +232,12 @@ if ($searchUsers) { // Get group IDs. $user_groups = array_keys($user_groups); - if (!check_acl_one_of_groups($config['id_user'], $user_groups, 'UM') && $config['id_user'] != $user['id_user']) { + if (check_acl_one_of_groups($config['id_user'], $user_groups, 'UM') === false + && $config['id_user'] != $user['id_user'] + || (users_is_admin($config['id_user']) === false + && users_is_admin($user['id_user']) === true) + || $config['id_user'] === $user['id_user'] + ) { unset($users[$key]); } else { $users_id[] = $user['id_user'];