Skip to content
Snippets Groups Projects
Commit ab098655 authored by David Siegfried's avatar David Siegfried
Browse files

secure actions, closes #3394 

Closes #3394

Merge request !2368
parent 3f5fa2d8
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
app/controllers/admin/user.php
+ 22
16
View file @ ab098655
......@@ -978,6 +978,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function change_password_action($user_id)
{
CSRFProtection::verifyUnsafeRequest();
// mail address did not change, so skip this check
$GLOBALS['MAIL_VALIDATE_BOX'] = false;
$UserManagement = new UserManagement($user_id);
......@@ -989,7 +990,7 @@ class Admin_UserController extends AuthenticatedController
PageLayout::postError(_('Die Änderungen konnten nicht gespeichert werden.'), $details);
}
if (Request::int('from_index')) {
$this->redirect('admin/user');
$this->relocate('admin/user');
} else {
$this->redirect('admin/user/edit/' . $user_id);
}
......@@ -1031,7 +1032,7 @@ class Admin_UserController extends AuthenticatedController
}
if (Request::int('from_index')) {
$this->redirect('admin/user');
$this->relocate('admin/user');
} else {
$this->redirect('admin/user/edit/' . $user_id);
}
......@@ -1044,6 +1045,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function unlock_action($user_id)
{
CSRFProtection::verifyUnsafeRequest();
$user = User::find($user_id);
$user->locked = 0;
......@@ -1063,7 +1065,7 @@ class Admin_UserController extends AuthenticatedController
}
if (Request::int('from_index')) {
$this->redirect('admin/user');
$this->relocate('admin/user');
} else {
$this->redirect('admin/user/edit/' . $user_id);
}
......@@ -1146,6 +1148,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function delete_studycourse_action($user_id, $fach_id, $abschlus_id)
{
CSRFProtection::verifyUnsafeRequest();
$user_stc = UserStudyCourse::find([$user_id, $fach_id, $abschlus_id]);
$deleted = false;
if ($user_stc) {
......@@ -1167,19 +1170,19 @@ class Admin_UserController extends AuthenticatedController
*/
public function delete_institute_action($user_id, $institut_id)
{
CSRFProtection::verifyUnsafeRequest();
if ($GLOBALS['perm']->have_studip_perm("admin", $institut_id)) {
$groups = GetAllStatusgruppen($institut_id);
$group_list = GetRoleNames($groups, 0, '', true);
if (is_array($group_list) && count($group_list) > 0) {
$query = "DELETE FROM statusgruppe_user
WHERE statusgruppe_id IN (?) AND user_id = ?";
$statement = DBManager::get()->prepare($query);
$statement->execute([array_keys($group_list), $user_id]);
StatusgruppeUser::deleteBySQL(
"`statusgruppe_id` IN (?) AND `user_id` = ?",
[array_keys($group_list), $user_id]
);
}
$db = DBManager::get()->prepare("DELETE FROM user_inst WHERE user_id = ? AND Institut_id = ?");
$db->execute([$user_id, $institut_id]);
if ($db->rowCount() == 1) {
$count = InstituteMember::deleteBySQL("`user_id` = ? AND `Institut_id` = ?", [$user_id, $institut_id]);
if ($count === 1) {
StudipLog::log('INST_USER_DEL', $institut_id, $user_id);
NotificationCenter::postNotification('UserInstitutionDidDelete', $institut_id, $user_id);
InstituteMember::ensureDefaultInstituteForUser($user_id);
......@@ -1203,6 +1206,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function delete_userdomain_action($user_id)
{
CSRFProtection::verifyUnsafeRequest();
$domain_id = Request::get('domain_id');
UserDomain::find($domain_id)->removeUser($user_id);
$result = AutoInsert::instance()->saveUser($user_id);
......@@ -1221,11 +1225,12 @@ class Admin_UserController extends AuthenticatedController
}
/**
* Reset notfication for user
* Reset notification for user
* @param $user_id
*/
public function reset_notification_action($user_id)
{
CSRFProtection::verifyUnsafeRequest();
$resetted = CourseMemberNotification::deleteBySQL("user_id = ?", [$user_id]);
PageLayout::postSuccess(sprintf(_('Die Benachrichtigungseinstellungen für %s Veranstaltungen wurden zurück gesetzt.'), $resetted));
$this->redirect('admin/user/edit/' . $user_id);
......@@ -1237,6 +1242,7 @@ class Admin_UserController extends AuthenticatedController
*/
public function reset_tfa_action($user_id)
{
CSRFProtection::verifyUnsafeRequest();
if (TFASecret::deleteByUser_id($user_id)) {
PageLayout::postSuccess(_('Die Zwei-Faktor-Authentifizierung wurde für diese Person deaktiviert.'));
}
......@@ -1688,7 +1694,7 @@ class Admin_UserController extends AuthenticatedController
_('Personenaccount entsperren'),
$this->url_for("admin/user/unlock/{$this->user->id}"),
Icon::create('lock-unlocked')
);
)->asButton();
} else {
$user_actions->addLink(
_('Personenaccount sperren'),
......@@ -1703,7 +1709,7 @@ class Admin_UserController extends AuthenticatedController
_('Passwortlink zusenden'),
$this->url_for("admin/user/change_password/{$this->user->id}"),
Icon::create('key')
);
)->asButton();
}
$user_actions->addLink(
_('Person löschen'),
......@@ -1716,7 +1722,7 @@ class Admin_UserController extends AuthenticatedController
_('Benachrichtigungen zurücksetzen'),
$this->url_for("admin/user/reset_notification/{$this->user->id}"),
Icon::create('refresh')
);
)->asButton();
}
if ($this->action === 'activities') {
......@@ -1724,7 +1730,7 @@ class Admin_UserController extends AuthenticatedController
_('Alle Dateien des Nutzers aus Veranstaltungen und Einrichtungen als ZIP herunterladen'),
$this->url_for("admin/user/download_user_files/{$this->user->user_id}"),
Icon::create('folder-full')
);
)->asButton();
}
if ($this->user->id !== $GLOBALS['user']->id && TFASecret::exists($this->user->id)) {
......@@ -1732,7 +1738,7 @@ class Admin_UserController extends AuthenticatedController
_('Zwei-Faktor-Authentifizierung deaktivieren'),
$this->url_for("admin/user/reset_tfa/{$this->user->id}"),
Icon::create('code-qr')
);
)->asButton();
}
$sidebar->insertWidget($user_actions, 'actions', 'user_actions');
......
app/views/admin/user/_results.php
+ 12
6
View file @ ab098655
......@@ -170,10 +170,13 @@
);
if ($user->locked) {
$actionMenu->addLink(
$controller->url_for("admin/user/unlock/{$user->id}", ['from_index' => 1]),
$actionMenu->addButton(
'unlock',
_('Nutzeraccount entsperren'),
Icon::create('lock-unlocked')
Icon::create('lock-unlocked'),
[
'formaction' => $controller->url_for("admin/user/unlock/{$user->id}", ['from_index' => 1])
]
);
} else {
$actionMenu->addLink(
......@@ -186,10 +189,13 @@
if ($user->auth_plugin !== 'preliminary' && ($GLOBALS['perm']->have_perm('root') || $GLOBALS['perm']->is_fak_admin() || !in_array($user->perms, words('root admin')))) {
if (!StudipAuthAbstract::CheckField('auth_user_md5.password', $user->auth_plugin)) {
$actionMenu->addLink(
$controller->url_for("admin/user/change_password/{$user->id}", ['from_index' => 1]),
$actionMenu->addButton(
'change_password',
_('Passwortlink zusenden'),
Icon::create('key')
Icon::create('key'),
[
'formaction' => $controller->url_for("admin/user/change_password/{$user->id}", ['from_index' => 1])
]
);
}
......
app/views/admin/user/edit.php
+ 59
50
View file @ ab098655
......@@ -256,7 +256,7 @@ use Studip\Button, Studip\LinkButton;
</label>
<label class="col-2">
<?= Icon::create('accept', 'accept')->asImg([
<?= Icon::create('accept', Icon::ROLE_ACCEPT)->asImg([
'id' => 'pw_success',
'style' => 'display: none',
]) ?>
......@@ -435,12 +435,14 @@ use Studip\Button, Studip\LinkButton;
htmlReady($usc->semester),
_('Fachsemester')
) ?>
<a href="<?= $controller->url_for('admin/user/delete_studycourse/' . $user->user_id . '/' . $usc->fach_id . '/' . $usc->abschluss_id) ?>">
<?= Icon::create('trash')->asImg([
<?= Icon::create('trash')->asInput(
[
'class' => 'text-bottom',
'title' => _('Diesen Studiengang löschen'),
]) ?>
</a>
'data-confirm' => _('Sind Sie sicher, dass Sie diesen Studiengang löschen wollen?'),
'formaction' => $controller->delete_studycourseURL($user->user_id, $usc->fach_id, $usc->abschluss_id)
]
)?>
<? $versionen = StgteilVersion::findByFachAbschluss($usc->fach_id, $usc->abschluss_id); ?>
<? $versionen = array_filter($versionen, function ($ver) {
return $ver->hasPublicStatus('genehmigt');
......@@ -474,12 +476,14 @@ use Studip\Button, Studip\LinkButton;
<?= htmlReady($inst_membership->institute->name) ?>
<? if ($GLOBALS['perm']->have_studip_perm('admin', $inst_membership->institut_id)) : ?>
<a href="<?= $controller->url_for('admin/user/delete_institute/' . $user->user_id . '/' . $inst_membership->institut_id) ?>">
<?= Icon::create('trash')->asImg([
<?= Icon::create('trash')->asInput(
[
'class' => 'text-bottom',
'title' => _('Diese Einrichtung löschen'),
]) ?>
</a>
'data-confirm' => _('Sind Sie sicher, dass Sie diese Einrichtung löschen wollen?'),
'formaction' => $controller->delete_instituteURL($user->user_id, $inst_membership->institut_id)
]
)?>
<? endif; ?>
</li>
<? endforeach; ?>
......@@ -504,7 +508,7 @@ use Studip\Button, Studip\LinkButton;
</option>
<? foreach ($available_institutes as $i) : ?>
<? if (InstituteMember::countBySql('user_id = ? AND institut_id = ?', [$user->user_id, $i['Institut_id']]) == 0
&& (!($i['is_fak'] && $user->perms == 'admin') || $GLOBALS['perm']->have_perm('root'))
&& (!($i['is_fak'] && $user->perms === 'admin') || $GLOBALS['perm']->have_perm('root'))
) : ?>
<option class="<?= $i['is_fak'] ? 'nested-item-header' : 'nested-item' ?>"
value="<?= htmlReady($i['Institut_id']) ?>">
......@@ -533,12 +537,14 @@ use Studip\Button, Studip\LinkButton;
'title' => _('Diese Einrichtung bearbeiten'),
]) ?>
</a>
<a href="<?= $controller->url_for('admin/user/delete_institute/' . $user->user_id . '/' . $inst_membership->institut_id) ?>">
<?= Icon::create('trash')->asImg([
<?= Icon::create('trash')->asInput(
[
'class' => 'text-bottom',
'title' => _('Diese Einrichtung löschen'),
]) ?>
</a>
'data-confirm' => _('Sind Sie sicher, dass Sie diese Einrichtung löschen wollen?'),
'formaction' => $controller->delete_instituteURL($user->user_id, $inst_membership->institut_id)
]
)?>
<? endif; ?>
</li>
<? endforeach; ?>
......@@ -547,12 +553,13 @@ use Studip\Button, Studip\LinkButton;
<? endif;?>
</fieldset>
<? if (!empty($domains) || !empty($userdomains)) : ?>
<fieldset>
<legend>
<?= _('Nutzerdomänen') ?>
</legend>
<? if (!empty($domains)) : ?>
<label class="col-3">
<?= _('Neue Nutzerdomäne') ?>
......@@ -565,7 +572,7 @@ use Studip\Button, Studip\LinkButton;
<? endforeach ?>
</select>
</label>
<? endif ?>
<? if (count($userdomains) > 0): ?>
<section class="col-3">
......@@ -573,20 +580,22 @@ use Studip\Button, Studip\LinkButton;
<? foreach ($userdomains as $i => $domain): ?>
<li>
<?= htmlReady($domain->name) ?>
<a href="<?= $controller->url_for('admin/user/delete_userdomain/' . $user->id, ['domain_id' => $domain->id]) ?>">
<?= Icon::create('trash')->asImg([
<?= Icon::create('trash')->asInput(
[
'class' => 'text-bottom',
'title' => _('Aus dieser Nutzerdomäne austragen'),
]) ?>
</a>
'data-confirm' => _('Sind Sie sicher, dass sie die Person aus der Nutzerdomäne austragen wollen?'),
'formaction' => $controller->delete_userdomainURL($user->id, ['domain_id' => $domain->id])
]
)?>
</li>
<? endforeach; ?>
</ol>
</section>
<? endif; ?>
</fieldset>
<? endif; /* $user['perms'] !== 'root' */ ?>
<? endif ?>
<? endif;?>
<? if ($GLOBALS['perm']->have_perm('root') && count(LockRule::findAllByType('user')) > 0) : ?>
<fieldset>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment