[jira] [Created] (VCL-467) Members of a group from one affiliation have access to groups from other affiliations with the same name

Thu, 12 May 2011 07:55:42 -0700 

Members of a group from one affiliation have access to groups from other 
affiliations with the same name
--------------------------------------------------------------------------------------------------------

                 Key: VCL-467
                 URL: https://issues.apache.org/jira/browse/VCL-467
             Project: VCL
          Issue Type: Bug
          Components: web gui (frontend)
    Affects Versions: 2.2.1, 2.2
         Environment: PHP 5.1 on CentOS 5.5
            Reporter: Aaron Coburn
             Fix For: 2.3


A user with permission to edit a certain group for a certain affiliation has 
access to the groups with the same name from other affiliations. For instance, 
if a user is a member of admin@EXAMPLE1 and therefore can modify the group All 
users@EXAMPLE1, it turns out that the user can also modify the group All 
users@EXAMPLE2 and potentially also admin@EXAMPLE2. The reason for this is that 
the permissions check in the PHP code is based on group name rather than group 
ID. This appears to only affect the "Manage Groups" page and the "Privileges" 
page.

I have included patches that check the value of 'editgroupid' rather than just 
'editgroup', thereby comparing unique IDs rather than possibly non-unique names.

The .ht-inc/groups.php page can be fixed with this patch:

137,138c137,138
<               if(array_key_exists("editgroup", $usergroups[$id]) &&
<                  in_array($usergroups[$id]["editgroup"], $user["groups"]))
---
>               if(array_key_exists("editgroupid", $usergroups[$id]) &&
>             array_key_exists($usergroups[$id]["editgroupid"], 
> $user["groups"]))

The .ht-inc/privileges.php page can be fixed with this patch:

1715c1715,1716
<              .        "g2.name AS editgroup "
---
>            .        "g2.name AS editgroup, "
>            .        "g2.editusergroupid AS editgroupid "
1727c1728
<       if($grpdata["ownerid"] != $user["id"] && ! 
(in_array($grpdata["editgroup"], $user["groups"]))) {
---
>       if($grpdata["ownerid"] != $user["id"] && ! 
> (array_key_exists($grpdata["editgroupid"], $user["groups"]))) {
2592c2593
<       foreach($_user["groups"] as $groupname) {
---
>       foreach($_user["groups"] as $groupid => $groupname) {
2594,2600c2595,2604
<               # (has cascaded $priv && ! have block at this node) return 1
<               if((array_key_exists($groupname, $privs["usergroups"]) &&
<                  in_array($priv, $privs["usergroups"][$groupname]['privs'])) 
||
<                  ((array_key_exists($groupname, $cascadePrivs["usergroups"]) 
&&
<                  in_array($priv, 
$cascadePrivs["usergroups"][$groupname]['privs'])) &&
<                  (! array_key_exists($groupname, $privs["usergroups"]) ||
<                  ! in_array("block", 
$privs["usergroups"][$groupname]['privs'])))) {
---
>         # (has cascaded $priv && ! have block at this node) return 1
>         if((array_key_exists($groupname, $privs["usergroups"]) && 
>            $groupid == $privs["usergroups"][$groupname]['id'] &&
>            in_array($priv, $privs["usergroups"][$groupname]['privs'])) ||
>            ((array_key_exists($groupname, $cascadePrivs["usergroups"]) && 
>            $groupid == $cascadePrivs["usergroups"][$groupname]['id'] &&
>            in_array($priv, $cascadePrivs["usergroups"][$groupname]['privs'])) 
> &&
>            (! array_key_exists($groupname, $privs["usergroups"]) ||
>            (! in_array("block", $privs["usergroups"][$groupname]['privs']) && 
>            $privs["usergroups"][$groupname]['id'] == $groupid)))) {



--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to