Fix CWE-269 - huntr - Fix set of email without edit user permission

Dolibarr · May 24, 2021 · bb64a25 · bb64a25
1 parent 31af74f
commit bb64a25
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 39 deletions.
diff --git a/htdocs/core/class/ldap.class.php b/htdocs/core/class/ldap.class.php
@@ -932,7 +932,7 @@ public function getAttributeValues($filterrecord, $attribute)
 	 * 	Returns an array containing a details or list of LDAP record(s)
 	 * 	ldapsearch -LLLx -hlocalhost -Dcn=admin,dc=parinux,dc=org -w password -b "ou=adherents,ou=people,dc=parinux,dc=org" userPassword
 	 *
-	 *	@param	string	$search			 	Value of fiel to search, '*' for all. Not used if $activefilter is set.
+	 *	@param	string	$search			 	Value of field to search, '*' for all. Not used if $activefilter is set.
 	 *	@param	string	$userDn			 	DN (Ex: ou=adherents,ou=people,dc=parinux,dc=org)
 	 *	@param	string	$useridentifier 	Name of key field (Ex: uid)
 	 *	@param	array	$attributeArray 	Array of fields required. Note this array must also contains field $useridentifier (Ex: sn,userPassword)

diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php
@@ -59,24 +59,6 @@
 	$socid = $user->socid;
 }
 $feature2 = (($socid && $user->rights->user->self->creer) ? '' : 'user');
-// Ok if user->rights->salaries->read or user->rights->hrm->read
-//$result = restrictedArea($user, 'salaries|hrm', $id, 'user&user', $feature2);
-$ok = false;
-if ($user->id == $id) {
-	$ok = true; // A user can always read its own card
-}
-if (!empty($user->rights->salaries->read)) {
-	$ok = true;
-}
-if (!empty($user->rights->hrm->read)) {
-	$ok = true;
-}
-if (!empty($user->rights->expensereport->lire) && ($user->id == $object->id || $user->rights->expensereport->readall)) {
-	$ok = true;
-}
-if (!$ok) {
-	accessforbidden();
-}
 
 $object = new User($db);
 if ($id > 0 || !empty($ref)) {
@@ -94,14 +76,37 @@
 	$account->userid = $object->id;
 }
 
+
+// Define value to know what current user can do on users
+$canadduser = (!empty($user->admin) || $user->rights->user->user->creer);
+$canreaduser = (!empty($user->admin) || $user->rights->user->user->lire);
 $permissiontoaddbankaccount = (!empty($user->rights->salaries->write) || !empty($user->rights->hrm->employee->write) || !empty($user->rights->user->creer));
 
+// Ok if user->rights->salaries->read or user->rights->hrm->read
+//$result = restrictedArea($user, 'salaries|hrm', $id, 'user&user', $feature2);
+$ok = false;
+if ($user->id == $id) {
+	$ok = true; // A user can always read its own card
+}
+if (!empty($user->rights->salaries->read)) {
+	$ok = true;
+}
+if (!empty($user->rights->hrm->read)) {
+	$ok = true;
+}
+if (!empty($user->rights->expensereport->lire) && ($user->id == $object->id || $user->rights->expensereport->readall)) {
+	$ok = true;
+}
+if (!$ok) {
+	accessforbidden();
+}
+
 
 /*
  *	Actions
  */
 
-if ($action == 'add' && !$cancel) {
+if ($action == 'add' && !$cancel && $permissiontoaddbankaccount) {
 	$account->userid          = $object->id;
 
 	$account->bank            = GETPOST('bank', 'alpha');
@@ -128,7 +133,7 @@
 	}
 }
 
-if ($action == 'update' && !$cancel) {
+if ($action == 'update' && !$cancel && $permissiontoaddbankaccount) {
 	$account->userid = $object->id;
 
 	/*
@@ -199,7 +204,7 @@
 }
 
 // update personal email
-if ($action == 'setpersonal_email') {
+if ($action == 'setpersonal_email' && $canadduser) {
 	$object->personal_email = (string) GETPOST('personal_email', 'alphanohtml');
 	$result = $object->update($user);
 	if ($result < 0) {
@@ -208,34 +213,35 @@
 }
 
 // update personal mobile
-if ($action == 'setpersonal_mobile') {
+if ($action == 'setpersonal_mobile' && $canadduser) {
 	$object->personal_mobile = (string) GETPOST('personal_mobile', 'alphanohtml');
 	$result = $object->update($user);
 	if ($result < 0) {
 		setEventMessages($object->error, $object->errors, 'errors');
 	}
 }
 
-// update default_c_exp_tax_cat
-if ($action == 'setdefault_c_exp_tax_cat') {
-	$object->default_c_exp_tax_cat = GETPOST('default_c_exp_tax_cat', 'int');
-	$result = $object->update($user);
-	if ($result < 0) {
-		setEventMessages($object->error, $object->errors, 'errors');
+if (!empty($conf->global->MAIN_USE_EXPENSE_IK)) {
+	// update default_c_exp_tax_cat
+	if ($action == 'setdefault_c_exp_tax_cat' && $canadduser) {
+		$object->default_c_exp_tax_cat = GETPOST('default_c_exp_tax_cat', 'int');
+		$result = $object->update($user);
+		if ($result < 0) {
+			setEventMessages($object->error, $object->errors, 'errors');
+		}
 	}
-}
 
-// update default range
-if ($action == 'setdefault_range') {
-	$object->default_range = GETPOST('default_range', 'int');
-	$result = $object->update($user);
-	if ($result < 0) {
-		setEventMessages($object->error, $object->errors, 'errors');
+	// update default range
+	if ($action == 'setdefault_range' && $canadduser) {
+		$object->default_range = GETPOST('default_range', 'int');
+		$result = $object->update($user);
+		if ($result < 0) {
+			setEventMessages($object->error, $object->errors, 'errors');
+		}
 	}
 }
 
 
-
 /*
  *	View
  */

diff --git a/htdocs/user/card.php b/htdocs/user/card.php
@@ -615,8 +615,8 @@
 	}
 
 	// Action initialisation donnees depuis record LDAP
-	if ($action == 'adduserldap') {
-		$selecteduser = $_POST['users'];
+	if ($action == 'adduserldap' && $canadduser) {
+		$selecteduser = GETPOST('users');
 
 		$required_fields = array(
 			$conf->global->LDAP_KEY_USERS,