mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
09a2977adb8bc4b1db116c725d661160c930d3a1
librenms-librenms/app/Http/Requests/UpdateUserRequest.php
Tony Murray 09a2977adb Fix authentication mass assignment vulnerability (#14468) 
Users were able to submit changes to fields they should not have access to change by bypassing the frontend validation.  Correct backend validation to prevent that.
2022-10-17 12:11:14 -05:00

90 lines
2.8 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Requests;
use Hash;
use Illuminate\Foundation\Http\FormRequest;
use LibreNMS\Config;
class UpdateUserRequest extends FormRequest
{
/**
* Determine if the user is authorized to make this request.
*
* @return bool
*/
public function authorize()
{
if ($this->user()->isAdmin()) {
return true;
}
$user = $this->route('user');
if ($user && $this->user()->can('update', $user)) {
// normal users cannot edit their level or ability to modify a password
unset($this['level'], $this['can_modify_passwd']);
return true;
}
return false;
}
/**
* Get the validation rules that apply to the request.
*
* @return array
*/
public function rules()
{
if ($this->user()->isAdmin()) {
return [
'realname' => 'nullable|max:64|alpha_space',
'email' => 'nullable|email|max:64',
'descr' => 'nullable|max:30|alpha_space',
'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),
'new_password_confirmation' => 'nullable|same:new_password',
'dashboard' => 'int',
'level' => 'int',
'enabled' => 'nullable',
'can_modify_passwd' => 'nullable',
];
}
return [
'realname' => 'nullable|max:64|alpha_space',
'email' => 'nullable|email|max:64',
'descr' => 'nullable|max:30|alpha_space',
'old_password' => 'nullable|string',
'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),
'new_password_confirmation' => 'nullable|same:new_password',
'dashboard' => 'int',
];
}
/**
* Configure the validator instance.
*
* @param \Illuminate\Validation\Validator $validator
* @return void
*/
public function withValidator($validator)
{
$validator->after(function ($validator) {
// if not an admin and new_password is set, check old password matches
if (! $this->user()->isAdmin()) {
if ($this->has('new_password')) {
if ($this->has('old_password')) {
$user = $this->route('user');
if ($user && ! Hash::check($this->old_password, $user->password)) {
$validator->errors()->add('old_password', __('Existing password did not match'));
}
} else {
$validator->errors()->add('old_password', __('The :attribute field is required.', ['attribute' => 'old_password']));
}
}
}
});
}
}
Reference in New Issue View Git Blame Copy Permalink