Merge pull request #4240 from corentin-soriano/wrong_access_control

SEC - Correct wrong access control
nilsteampassnet · Aug 25, 2024 · e46e15c · e46e15c
2 parents f6d2bbb + e18e3cb
commit e46e15c
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 8 deletions.
diff --git a/index.php b/index.php
@@ -455,7 +455,7 @@
                                 ) {
         echo '
                     <li class="nav-item">
-                        <a href="#" data-name="favourites" class="nav-link', $get['page'] === 'admin' ? ' favourites' : '', '">
+                        <a href="#" data-name="favourites" class="nav-link', $get['page'] === 'favourites' ? ' active' : '', '">
                         <i class="nav-icon fa-solid fa-star"></i>
                         <p>
                             ' . $lang->get('favorites') . '

diff --git a/pages/export.php b/pages/export.php
@@ -64,9 +64,19 @@
         'user_key' => returnIfSet($session->get('key'), null),
     ]
 );
-// Handle the case
+
+// Check user access and printing enabled
 echo $checkUserAccess->caseHandler();
-if ($checkUserAccess->checkSession() === false || $checkUserAccess->userAccessPage('export') === false) {
+if ($checkUserAccess->checkSession() === false || $checkUserAccess->userAccessPage('export') === false
+    || isset($SETTINGS['allow_print']) === false || (int) $SETTINGS['allow_print'] === 0
+    || isset($SETTINGS['roles_allowed_to_print_select']) === false
+    || empty($SETTINGS['roles_allowed_to_print_select']) === true
+    || count(array_intersect(
+        explode(';', $session->get('user-roles')),
+        explode(',', str_replace(['"', '[', ']'], '', $SETTINGS['roles_allowed_to_print_select']))
+    )) === 0
+    || (int) $session_user_admin === 1
+) {
     // Not allowed page
     $session->set('system-error_code', ERR_NOT_ALLOWED);
     include $SETTINGS['cpassman_dir'] . '/error.php';

diff --git a/pages/favourites.php b/pages/favourites.php
@@ -64,9 +64,12 @@
         'user_key' => returnIfSet($session->get('key'), null),
     ]
 );
-// Handle the case
+
+// Check user access and favourites enabled
 echo $checkUserAccess->caseHandler();
-if ($checkUserAccess->checkSession() === false || $checkUserAccess->userAccessPage('favourites') === false) {
+if ($checkUserAccess->checkSession() === false || $checkUserAccess->userAccessPage('favourites') === false
+    || isset($SETTINGS['enable_favourites']) === false || (int) $SETTINGS['enable_favourites'] === 0
+    || (int) $session_user_admin === 1) {
     // Not allowed page
     $session->set('system-error_code', ERR_NOT_ALLOWED);
     include $SETTINGS['cpassman_dir'] . '/error.php';

diff --git a/pages/import.php b/pages/import.php
@@ -64,9 +64,11 @@
         'user_key' => returnIfSet($session->get('key'), null),
     ]
 );
-// Handle the case
+
+// Check user access and import enabled
 echo $checkUserAccess->caseHandler();
-if ($checkUserAccess->checkSession() === false || $checkUserAccess->userAccessPage('import') === false) {
+if ($checkUserAccess->checkSession() === false || $checkUserAccess->userAccessPage('import') === false
+    || isset($SETTINGS['allow_import']) === false || (int) $SETTINGS['allow_import'] !== 1) {
     // Not allowed page
     $session->set('system-error_code', ERR_NOT_ALLOWED);
     include $SETTINGS['cpassman_dir'] . '/error.php';

diff --git a/vendor/teampassclasses/performchecks/src/PerformChecks.php b/vendor/teampassclasses/performchecks/src/PerformChecks.php
@@ -154,7 +154,7 @@ function userAccessPage($pageVisited): bool
         // Definition
         $pagesRights = array(
             'user' => array(
-                'home', 'items', 'search', 'kb', 'favourites', 'suggestion', 'profile', 'import', 'export', 'folders', 'offline',
+                'home', 'items', 'search', 'kb', 'favourites', 'suggestion', 'profile', 'import', 'export', 'offline',
             ),
             'manager' => array(
                 'home', 'items', 'search', 'kb', 'favourites', 'suggestion', 'folders', 'roles', 'utilities', 'users', 'profile',