fix(api): v1 security fix

polonel · May 16, 2022 · 49befa2 · 49befa2
1 parent 7f4eac1
commit 49befa2
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/src/controllers/api/v1/tickets.js b/src/controllers/api/v1/tickets.js
@@ -530,11 +530,23 @@ apiTickets.createPublicTicket = function (req, res) {
 
   var user, group, ticket, plainTextPass
 
+  var settingSchema = require('../../../models/setting')
+
   async.waterfall(
     [
       function (next) {
-        var settingSchmea = require('../../../models/setting')
-        settingSchmea.getSetting('role:user:default', function (err, roleDefault) {
+        settingSchema.getSetting('allowPublicTickets:enable', function (err, allowPublicTickets) {
+          if (err) return next(err)
+          if (!allowPublicTickets) {
+            winston.warn('Public ticket creation attempted while disabled!')
+            return next('Public ticket creation is disabled!')
+          }
+
+          return next()
+        })
+      },
+      function (next) {
+        settingSchema.getSetting('role:user:default', function (err, roleDefault) {
           if (err) return next(err)
           if (!roleDefault) {
             winston.error('No Default User Role Set. (Settings > Permissions > Default User Role)')

diff --git a/src/controllers/api/v1/users.js b/src/controllers/api/v1/users.js
@@ -263,7 +263,6 @@ apiUsers.create = function (req, res) {
  */
 apiUsers.createPublicAccount = function (req, res) {
   const SettingSchema = require('../../../models/setting')
-  const SettingsUtil = require('../../../settings/settingsUtil')
 
   const response = {}
   response.success = true
@@ -274,6 +273,17 @@ apiUsers.createPublicAccount = function (req, res) {
 
   async.waterfall(
     [
+      function (next) {
+        SettingSchema.getSetting('allowUserRegistration:enable', function (err, allowUserRegistration) {
+          if (err) return next(err)
+          if (!allowUserRegistration) {
+            winston.warn('Public account creation was attempted while disabled!')
+            return next({ message: 'Public account creation is disabled.' })
+          }
+
+          return next()
+        })
+      },
       function (next) {
         SettingSchema.getSetting('role:user:default', function (err, roleDefault) {
           if (err) return next(err)