Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-01 01:36:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

Guests: Prevented access to profile routes

Browse Source 
Prevention of action on certain routes for guest user when public access
is enabled. Could not see a way this could be a security issue, beyond a
mild nuisance that'd only be visible if public users can edit, which
would present larger potential nuisance anyway.
This commit is contained in:
Dan Brown 2023-08-26 14:07:48 +01:00
parent 32516f7b68
commit 9100a82b47
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Users/Controllers/UserController.php
View File

@ -103,6 +103,7 @@ class UserController extends Controller
*/
public function edit(int $id, SocialAuthService $socialAuthService)
{
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id);
@ -133,6 +134,7 @@ class UserController extends Controller
public function update(Request $request, int $id)
{
$this->preventAccessInDemoMode();
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$validated = $this->validate($request, [
@ -176,6 +178,7 @@ class UserController extends Controller
*/
public function delete(int $id)
{
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id);
@ -192,6 +195,7 @@ class UserController extends Controller
public function destroy(Request $request, int $id)
{
$this->preventAccessInDemoMode();
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id);

12
tests/PublicActionTest.php
View File

@ -207,4 +207,16 @@ class PublicActionTest extends TestCase
$this->withHtml($resp)->assertLinkExists($page->getUrl('/edit'));
}
public function test_public_user_cannot_view_or_update_their_profile()
{
$this->setSettings(['app-public' => 'true']);
$guest = $this->users->guest();
$resp = $this->get($guest->getEditUrl());
$this->assertPermissionError($resp);
$resp = $this->put($guest->getEditUrl(), ['name' => 'My new guest name']);
$this->assertPermissionError($resp);
}
}