Skip to content
Snippets Groups Projects
Commit 74093ff9 authored by David Siegfried's avatar David Siegfried Committed by Jan-Hendrik Willms
Browse files

secure actions, closes #3394 

Closes #3394

Merge request studip/studip!2368
parent bede53e8
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/controllers/admin/user.php
+ 22
16
View file @ 74093ff9
...@@ -978,6 +978,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -978,6 +978,7 @@ class Admin_UserController extends AuthenticatedController
*/ */
public function change_password_action($user_id) public function change_password_action($user_id)
{ {
CSRFProtection::verifyUnsafeRequest();
// mail address did not change, so skip this check // mail address did not change, so skip this check
$GLOBALS['MAIL_VALIDATE_BOX'] = false; $GLOBALS['MAIL_VALIDATE_BOX'] = false;
$UserManagement = new UserManagement($user_id); $UserManagement = new UserManagement($user_id);
...@@ -989,7 +990,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -989,7 +990,7 @@ class Admin_UserController extends AuthenticatedController
PageLayout::postError(_('Die Änderungen konnten nicht gespeichert werden.'), $details); PageLayout::postError(_('Die Änderungen konnten nicht gespeichert werden.'), $details);
} }
if (Request::int('from_index')) { if (Request::int('from_index')) {
$this->redirect('admin/user'); $this->relocate('admin/user');
} else { } else {
$this->redirect('admin/user/edit/' . $user_id); $this->redirect('admin/user/edit/' . $user_id);
} }
...@@ -1031,7 +1032,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1031,7 +1032,7 @@ class Admin_UserController extends AuthenticatedController
} }
if (Request::int('from_index')) { if (Request::int('from_index')) {
$this->redirect('admin/user'); $this->relocate('admin/user');
} else { } else {
$this->redirect('admin/user/edit/' . $user_id); $this->redirect('admin/user/edit/' . $user_id);
} }
...@@ -1044,6 +1045,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1044,6 +1045,7 @@ class Admin_UserController extends AuthenticatedController
*/ */
public function unlock_action($user_id) public function unlock_action($user_id)
{ {
CSRFProtection::verifyUnsafeRequest();
$user = User::find($user_id); $user = User::find($user_id);
$user->locked = 0; $user->locked = 0;
...@@ -1063,7 +1065,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1063,7 +1065,7 @@ class Admin_UserController extends AuthenticatedController
} }
if (Request::int('from_index')) { if (Request::int('from_index')) {
$this->redirect('admin/user'); $this->relocate('admin/user');
} else { } else {
$this->redirect('admin/user/edit/' . $user_id); $this->redirect('admin/user/edit/' . $user_id);
} }
...@@ -1146,6 +1148,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1146,6 +1148,7 @@ class Admin_UserController extends AuthenticatedController
*/ */
public function delete_studycourse_action($user_id, $fach_id, $abschlus_id) public function delete_studycourse_action($user_id, $fach_id, $abschlus_id)
{ {
CSRFProtection::verifyUnsafeRequest();
$user_stc = UserStudyCourse::find([$user_id, $fach_id, $abschlus_id]); $user_stc = UserStudyCourse::find([$user_id, $fach_id, $abschlus_id]);
$deleted = false; $deleted = false;
if ($user_stc) { if ($user_stc) {
...@@ -1167,19 +1170,19 @@ class Admin_UserController extends AuthenticatedController ...@@ -1167,19 +1170,19 @@ class Admin_UserController extends AuthenticatedController
*/ */
public function delete_institute_action($user_id, $institut_id) public function delete_institute_action($user_id, $institut_id)
{ {
CSRFProtection::verifyUnsafeRequest();
if ($GLOBALS['perm']->have_studip_perm("admin", $institut_id)) { if ($GLOBALS['perm']->have_studip_perm("admin", $institut_id)) {
$groups = GetAllStatusgruppen($institut_id); $groups = GetAllStatusgruppen($institut_id);
$group_list = GetRoleNames($groups, 0, '', true); $group_list = GetRoleNames($groups, 0, '', true);
if (is_array($group_list) && count($group_list) > 0) { if (is_array($group_list) && count($group_list) > 0) {
$query = "DELETE FROM statusgruppe_user StatusgruppeUser::deleteBySQL(
WHERE statusgruppe_id IN (?) AND user_id = ?"; "`statusgruppe_id` IN (?) AND `user_id` = ?",
$statement = DBManager::get()->prepare($query); [array_keys($group_list), $user_id]
$statement->execute([array_keys($group_list), $user_id]); );
} }
$db = DBManager::get()->prepare("DELETE FROM user_inst WHERE user_id = ? AND Institut_id = ?"); $count = InstituteMember::deleteBySQL("`user_id` = ? AND `Institut_id` = ?", [$user_id, $institut_id]);
$db->execute([$user_id, $institut_id]); if ($count === 1) {
if ($db->rowCount() == 1) {
StudipLog::log('INST_USER_DEL', $institut_id, $user_id); StudipLog::log('INST_USER_DEL', $institut_id, $user_id);
NotificationCenter::postNotification('UserInstitutionDidDelete', $institut_id, $user_id); NotificationCenter::postNotification('UserInstitutionDidDelete', $institut_id, $user_id);
InstituteMember::ensureDefaultInstituteForUser($user_id); InstituteMember::ensureDefaultInstituteForUser($user_id);
...@@ -1203,6 +1206,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1203,6 +1206,7 @@ class Admin_UserController extends AuthenticatedController
*/ */
public function delete_userdomain_action($user_id) public function delete_userdomain_action($user_id)
{ {
CSRFProtection::verifyUnsafeRequest();
$domain_id = Request::get('domain_id'); $domain_id = Request::get('domain_id');
UserDomain::find($domain_id)->removeUser($user_id); UserDomain::find($domain_id)->removeUser($user_id);
$result = AutoInsert::instance()->saveUser($user_id); $result = AutoInsert::instance()->saveUser($user_id);
...@@ -1221,11 +1225,12 @@ class Admin_UserController extends AuthenticatedController ...@@ -1221,11 +1225,12 @@ class Admin_UserController extends AuthenticatedController
} }
/** /**
* Reset notfication for user * Reset notification for user
* @param $user_id * @param $user_id
*/ */
public function reset_notification_action($user_id) public function reset_notification_action($user_id)
{ {
CSRFProtection::verifyUnsafeRequest();
$resetted = CourseMemberNotification::deleteBySQL("user_id = ?", [$user_id]); $resetted = CourseMemberNotification::deleteBySQL("user_id = ?", [$user_id]);
PageLayout::postSuccess(sprintf(_('Die Benachrichtigungseinstellungen für %s Veranstaltungen wurden zurück gesetzt.'), $resetted)); PageLayout::postSuccess(sprintf(_('Die Benachrichtigungseinstellungen für %s Veranstaltungen wurden zurück gesetzt.'), $resetted));
$this->redirect('admin/user/edit/' . $user_id); $this->redirect('admin/user/edit/' . $user_id);
...@@ -1237,6 +1242,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1237,6 +1242,7 @@ class Admin_UserController extends AuthenticatedController
*/ */
public function reset_tfa_action($user_id) public function reset_tfa_action($user_id)
{ {
CSRFProtection::verifyUnsafeRequest();
if (TFASecret::deleteByUser_id($user_id)) { if (TFASecret::deleteByUser_id($user_id)) {
PageLayout::postSuccess(_('Die Zwei-Faktor-Authentifizierung wurde für diese Person deaktiviert.')); PageLayout::postSuccess(_('Die Zwei-Faktor-Authentifizierung wurde für diese Person deaktiviert.'));
} }
...@@ -1688,7 +1694,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1688,7 +1694,7 @@ class Admin_UserController extends AuthenticatedController
_('Personenaccount entsperren'), _('Personenaccount entsperren'),
$this->url_for("admin/user/unlock/{$this->user->id}"), $this->url_for("admin/user/unlock/{$this->user->id}"),
Icon::create('lock-unlocked') Icon::create('lock-unlocked')
); )->asButton();
} else { } else {
$user_actions->addLink( $user_actions->addLink(
_('Personenaccount sperren'), _('Personenaccount sperren'),
...@@ -1703,7 +1709,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1703,7 +1709,7 @@ class Admin_UserController extends AuthenticatedController
_('Passwortlink zusenden'), _('Passwortlink zusenden'),
$this->url_for("admin/user/change_password/{$this->user->id}"), $this->url_for("admin/user/change_password/{$this->user->id}"),
Icon::create('key') Icon::create('key')
); )->asButton();
} }
$user_actions->addLink( $user_actions->addLink(
_('Person löschen'), _('Person löschen'),
...@@ -1716,7 +1722,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1716,7 +1722,7 @@ class Admin_UserController extends AuthenticatedController
_('Benachrichtigungen zurücksetzen'), _('Benachrichtigungen zurücksetzen'),
$this->url_for("admin/user/reset_notification/{$this->user->id}"), $this->url_for("admin/user/reset_notification/{$this->user->id}"),
Icon::create('refresh') Icon::create('refresh')
); )->asButton();
} }
if ($this->action === 'activities') { if ($this->action === 'activities') {
...@@ -1724,7 +1730,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1724,7 +1730,7 @@ class Admin_UserController extends AuthenticatedController
_('Alle Dateien des Nutzers aus Veranstaltungen und Einrichtungen als ZIP herunterladen'), _('Alle Dateien des Nutzers aus Veranstaltungen und Einrichtungen als ZIP herunterladen'),
$this->url_for("admin/user/download_user_files/{$this->user->user_id}"), $this->url_for("admin/user/download_user_files/{$this->user->user_id}"),
Icon::create('folder-full') Icon::create('folder-full')
); )->asButton();
} }
if ($this->user->id !== $GLOBALS['user']->id && TFASecret::exists($this->user->id)) { if ($this->user->id !== $GLOBALS['user']->id && TFASecret::exists($this->user->id)) {
...@@ -1732,7 +1738,7 @@ class Admin_UserController extends AuthenticatedController ...@@ -1732,7 +1738,7 @@ class Admin_UserController extends AuthenticatedController
_('Zwei-Faktor-Authentifizierung deaktivieren'), _('Zwei-Faktor-Authentifizierung deaktivieren'),
$this->url_for("admin/user/reset_tfa/{$this->user->id}"), $this->url_for("admin/user/reset_tfa/{$this->user->id}"),
Icon::create('code-qr') Icon::create('code-qr')
); )->asButton();
} }
$sidebar->insertWidget($user_actions, 'actions', 'user_actions'); $sidebar->insertWidget($user_actions, 'actions', 'user_actions');
......
app/views/admin/user/_results.php
+ 12
6
View file @ 74093ff9
...@@ -164,10 +164,13 @@ ...@@ -164,10 +164,13 @@
); );
if ($user->locked) { if ($user->locked) {
$actionMenu->addLink( $actionMenu->addButton(
$controller->url_for("admin/user/unlock/{$user->id}", ['from_index' => 1]), 'unlock',
_('Nutzeraccount entsperren'), _('Nutzeraccount entsperren'),
Icon::create('lock-unlocked') Icon::create('lock-unlocked'),
[
'formaction' => $controller->url_for("admin/user/unlock/{$user->id}", ['from_index' => 1])
]
); );
} else { } else {
$actionMenu->addLink( $actionMenu->addLink(
...@@ -180,10 +183,13 @@ ...@@ -180,10 +183,13 @@
if ($user->auth_plugin !== 'preliminary' && ($GLOBALS['perm']->have_perm('root') || $GLOBALS['perm']->is_fak_admin() || !in_array($user->perms, words('root admin')))) { if ($user->auth_plugin !== 'preliminary' && ($GLOBALS['perm']->have_perm('root') || $GLOBALS['perm']->is_fak_admin() || !in_array($user->perms, words('root admin')))) {
if (!StudipAuthAbstract::CheckField('auth_user_md5.password', $user->auth_plugin)) { if (!StudipAuthAbstract::CheckField('auth_user_md5.password', $user->auth_plugin)) {
$actionMenu->addLink( $actionMenu->addButton(
$controller->url_for("admin/user/change_password/{$user->id}", ['from_index' => 1]), 'change_password',
_('Passwortlink zusenden'), _('Passwortlink zusenden'),
Icon::create('key') Icon::create('key'),
[
'formaction' => $controller->url_for("admin/user/change_password/{$user->id}", ['from_index' => 1])
]
); );
} }
......
app/views/admin/user/edit.php
+ 59
50
View file @ 74093ff9
...@@ -246,7 +246,7 @@ use Studip\Button, Studip\LinkButton; ...@@ -246,7 +246,7 @@ use Studip\Button, Studip\LinkButton;
</label> </label>
<label class="col-2"> <label class="col-2">
<?= Icon::create('accept', 'accept')->asImg([ <?= Icon::create('accept', Icon::ROLE_ACCEPT)->asImg([
'id' => 'pw_success', 'id' => 'pw_success',
'style' => 'display: none', 'style' => 'display: none',
]) ?> ]) ?>
...@@ -425,12 +425,14 @@ use Studip\Button, Studip\LinkButton; ...@@ -425,12 +425,14 @@ use Studip\Button, Studip\LinkButton;
htmlReady($usc->semester), htmlReady($usc->semester),
_('Fachsemester') _('Fachsemester')
) ?> ) ?>
<a href="<?= $controller->url_for('admin/user/delete_studycourse/' . $user->user_id . '/' . $usc->fach_id . '/' . $usc->abschluss_id) ?>"> <?= Icon::create('trash')->asInput(
<?= Icon::create('trash')->asImg([ [
'class' => 'text-bottom', 'class' => 'text-bottom',
'title' => _('Diesen Studiengang löschen'), 'title' => _('Diesen Studiengang löschen'),
]) ?> 'data-confirm' => _('Sind Sie sicher, dass Sie diesen Studiengang löschen wollen?'),
</a> 'formaction' => $controller->delete_studycourseURL($user->user_id, $usc->fach_id, $usc->abschluss_id)
]
)?>
<? $versionen = StgteilVersion::findByFachAbschluss($usc->fach_id, $usc->abschluss_id); ?> <? $versionen = StgteilVersion::findByFachAbschluss($usc->fach_id, $usc->abschluss_id); ?>
<? $versionen = array_filter($versionen, function ($ver) { <? $versionen = array_filter($versionen, function ($ver) {
return $ver->hasPublicStatus('genehmigt'); return $ver->hasPublicStatus('genehmigt');
...@@ -464,12 +466,14 @@ use Studip\Button, Studip\LinkButton; ...@@ -464,12 +466,14 @@ use Studip\Button, Studip\LinkButton;
<?= htmlReady($inst_membership->institute->name) ?> <?= htmlReady($inst_membership->institute->name) ?>
<? if ($GLOBALS['perm']->have_studip_perm('admin', $inst_membership->institut_id)) : ?> <? if ($GLOBALS['perm']->have_studip_perm('admin', $inst_membership->institut_id)) : ?>
<a href="<?= $controller->url_for('admin/user/delete_institute/' . $user->user_id . '/' . $inst_membership->institut_id) ?>"> <?= Icon::create('trash')->asInput(
<?= Icon::create('trash')->asImg([ [
'class' => 'text-bottom', 'class' => 'text-bottom',
'title' => _('Diese Einrichtung löschen'), 'title' => _('Diese Einrichtung löschen'),
]) ?> 'data-confirm' => _('Sind Sie sicher, dass Sie diese Einrichtung löschen wollen?'),
</a> 'formaction' => $controller->delete_instituteURL($user->user_id, $inst_membership->institut_id)
]
)?>
<? endif; ?> <? endif; ?>
</li> </li>
<? endforeach; ?> <? endforeach; ?>
...@@ -494,7 +498,7 @@ use Studip\Button, Studip\LinkButton; ...@@ -494,7 +498,7 @@ use Studip\Button, Studip\LinkButton;
</option> </option>
<? foreach ($available_institutes as $i) : ?> <? foreach ($available_institutes as $i) : ?>
<? if (InstituteMember::countBySql('user_id = ? AND institut_id = ?', [$user->user_id, $i['Institut_id']]) == 0 <? if (InstituteMember::countBySql('user_id = ? AND institut_id = ?', [$user->user_id, $i['Institut_id']]) == 0
&& (!($i['is_fak'] && $user->perms == 'admin') || $GLOBALS['perm']->have_perm('root')) && (!($i['is_fak'] && $user->perms === 'admin') || $GLOBALS['perm']->have_perm('root'))
) : ?> ) : ?>
<option class="<?= $i['is_fak'] ? 'nested-item-header' : 'nested-item' ?>" <option class="<?= $i['is_fak'] ? 'nested-item-header' : 'nested-item' ?>"
value="<?= htmlReady($i['Institut_id']) ?>"> value="<?= htmlReady($i['Institut_id']) ?>">
...@@ -523,12 +527,14 @@ use Studip\Button, Studip\LinkButton; ...@@ -523,12 +527,14 @@ use Studip\Button, Studip\LinkButton;
'title' => _('Diese Einrichtung bearbeiten'), 'title' => _('Diese Einrichtung bearbeiten'),
]) ?> ]) ?>
</a> </a>
<a href="<?= $controller->url_for('admin/user/delete_institute/' . $user->user_id . '/' . $inst_membership->institut_id) ?>"> <?= Icon::create('trash')->asInput(
<?= Icon::create('trash')->asImg([ [
'class' => 'text-bottom', 'class' => 'text-bottom',
'title' => _('Diese Einrichtung löschen'), 'title' => _('Diese Einrichtung löschen'),
]) ?> 'data-confirm' => _('Sind Sie sicher, dass Sie diese Einrichtung löschen wollen?'),
</a> 'formaction' => $controller->delete_instituteURL($user->user_id, $inst_membership->institut_id)
]
)?>
<? endif; ?> <? endif; ?>
</li> </li>
<? endforeach; ?> <? endforeach; ?>
...@@ -537,46 +543,49 @@ use Studip\Button, Studip\LinkButton; ...@@ -537,46 +543,49 @@ use Studip\Button, Studip\LinkButton;
<? endif;?> <? endif;?>
</fieldset> </fieldset>
<fieldset> <? if (!empty($domains) || !empty($userdomains)) : ?>
<legend> <fieldset>
<?= _('Nutzerdomänen') ?> <legend>
</legend> <?= _('Nutzerdomänen') ?>
</legend>
<? if (!empty($domains)) : ?>
<label class="col-3">
<?= _('Neue Nutzerdomäne') ?>
<select name="new_userdomain" id="new_userdomain"> <label class="col-3">
<option selected value="none"><?= _('-- Bitte Nutzerdomäne auswählen --') ?></option> <?= _('Neue Nutzerdomäne') ?>
<? foreach ($domains as $domain) : ?>
<option value="<?= $domain->id ?>">
<?= htmlReady(my_substr($domain->name, 0, 50)) ?>
</option>
<? endforeach ?>
</select>
</label>
<? endif ?>
<? if (count($userdomains) > 0): ?> <select name="new_userdomain" id="new_userdomain">
<section class="col-3"> <option selected value="none"><?= _('-- Bitte Nutzerdomäne auswählen --') ?></option>
<ol class="default"> <? foreach ($domains as $domain) : ?>
<? foreach ($userdomains as $i => $domain): ?> <option value="<?= $domain->id ?>">
<li> <?= htmlReady(my_substr($domain->name, 0, 50)) ?>
<?= htmlReady($domain->name) ?> </option>
<? endforeach ?>
</select>
</label>
<a href="<?= $controller->url_for('admin/user/delete_userdomain/' . $user->id, ['domain_id' => $domain->id]) ?>">
<?= Icon::create('trash')->asImg([ <? if (count($userdomains) > 0): ?>
'class' => 'text-bottom', <section class="col-3">
'title' => _('Aus dieser Nutzerdomäne austragen'), <ol class="default">
]) ?> <? foreach ($userdomains as $i => $domain): ?>
</a> <li>
</li> <?= htmlReady($domain->name) ?>
<? endforeach; ?> <?= Icon::create('trash')->asInput(
</ol> [
</section> 'class' => 'text-bottom',
<? endif; ?> 'title' => _('Aus dieser Nutzerdomäne austragen'),
</fieldset> 'data-confirm' => _('Sind Sie sicher, dass sie die Person aus der Nutzerdomäne austragen wollen?'),
<? endif; /* $user['perms'] !== 'root' */ ?> 'formaction' => $controller->delete_userdomainURL($user->id, ['domain_id' => $domain->id])
]
)?>
</li>
<? endforeach; ?>
</ol>
</section>
<? endif; ?>
</fieldset>
<? endif ?>
<? endif;?>
<? if ($GLOBALS['perm']->have_perm('root') && count(LockRule::findAllByType('user')) > 0) : ?> <? if ($GLOBALS['perm']->have_perm('root') && count(LockRule::findAllByType('user')) > 0) : ?>
<fieldset> <fieldset>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment