webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-28 17:02:04 +03:00
Code Activity

Addressed user detail harvesting issue

Browse Source 
Altered access & usage of the /search/users/select endpoint with the
following changes:
- Removed searching of email address to prevent email detail discovery
  via hunting via search queries.
- Required the user to be logged in and have permission to manage users
  or manage permissions on items in some way.
- Removed the user migration option on user delete unless they have
  permission to manage users.

For #3108
Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/
Reported by @haxatron
This commit is contained in:
Dan Brown
2021-12-14 18:47:22 +00:00
parent 867cbe15ea
commit e765e61854
5 changed files with 114 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
app/Http/Controllers/UserSearchController.php
View File

@ -3,7 +3,6 @@
namespace BookStack\Http\Controllers;
use BookStack\Auth\User;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Http\Request;
class UserSearchController extends Controller
@ -14,19 +13,27 @@ class UserSearchController extends Controller
*/
public function forSelect(Request $request)
{
$hasPermission = signedInUser() && (
userCan('users-manage')
|| userCan('restrictions-manage-own')
|| userCan('restrictions-manage-all')
);
if (!$hasPermission) {
$this->showPermissionError();
}
$search = $request->get('search', '');
$query = User::query()->orderBy('name', 'desc')
$query = User::query()
->orderBy('name', 'asc')
->take(20);
if (!empty($search)) {
$query->where(function (Builder $query) use ($search) {
$query->where('email', 'like', '%' . $search . '%')
->orWhere('name', 'like', '%' . $search . '%');
});
$query->where('name', 'like', '%' . $search . '%');
}
$users = $query->get();
return view('form.user-select-list', compact('users'));
return view('form.user-select-list', [
'users' => $query->get(),
]);
}
}