Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.2, 2.2.1
-
PHP 5.1 on CentOS 5.5
Description
A user with permission to edit a certain group for a certain affiliation has access to the groups with the same name from other affiliations. For instance, if a user is a member of admin@EXAMPLE1 and therefore can modify the group All users@EXAMPLE1, it turns out that the user can also modify the group All users@EXAMPLE2 and potentially also admin@EXAMPLE2. The reason for this is that the permissions check in the PHP code is based on group name rather than group ID. This appears to only affect the "Manage Groups" page and the "Privileges" page.
I have included patches that check the value of 'editgroupid' rather than just 'editgroup', thereby comparing unique IDs rather than possibly non-unique names.
The .ht-inc/groups.php page can be fixed with this patch:
137,138c137,138
< if(array_key_exists("editgroup", $usergroups[$id]) &&
< in_array($usergroups[$id]["editgroup"], $user["groups"]))
—
> if(array_key_exists("editgroupid", $usergroups[$id]) &&
> array_key_exists($usergroups[$id]["editgroupid"], $user["groups"]))
The .ht-inc/privileges.php page can be fixed with this patch:
1715c1715,1716
< . "g2.name AS editgroup "
—
> . "g2.name AS editgroup, "
> . "g2.editusergroupid AS editgroupid "
1727c1728
< if($grpdata["ownerid"] != $user["id"] && ! (in_array($grpdata["editgroup"], $user["groups"]))) {
—
> if($grpdata["ownerid"] != $user["id"] && ! (array_key_exists($grpdata["editgroupid"], $user["groups"]))) {
2592c2593
< foreach($_user["groups"] as $groupname) {
—
> foreach($_user["groups"] as $groupid => $groupname) {
2594,2600c2595,2604
< # (has cascaded $priv && ! have block at this node) return 1
< if((array_key_exists($groupname, $privs["usergroups"]) &&
< in_array($priv, $privs["usergroups"][$groupname]['privs'])) ||
< ((array_key_exists($groupname, $cascadePrivs["usergroups"]) &&
< in_array($priv, $cascadePrivs["usergroups"][$groupname]['privs'])) &&
< (! array_key_exists($groupname, $privs["usergroups"]) ||
< ! in_array("block", $privs["usergroups"][$groupname]['privs'])))) {
—
> # (has cascaded $priv && ! have block at this node) return 1
> if((array_key_exists($groupname, $privs["usergroups"]) &&
> $groupid == $privs["usergroups"][$groupname]['id'] &&
> in_array($priv, $privs["usergroups"][$groupname]['privs'])) ||
> ((array_key_exists($groupname, $cascadePrivs["usergroups"]) &&
> $groupid == $cascadePrivs["usergroups"][$groupname]['id'] &&
> in_array($priv, $cascadePrivs["usergroups"][$groupname]['privs'])) &&
> (! array_key_exists($groupname, $privs["usergroups"]) ||
> (! in_array("block", $privs["usergroups"][$groupname]['privs']) &&
> $privs["usergroups"][$groupname]['id'] == $groupid)))) {
