mirror of
				https://github.com/BookStackApp/BookStack.git
				synced 2025-10-25 06:37:36 +03:00 
			
		
		
		
	Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron
		
			
				
	
	
		
			40 lines
		
	
	
		
			964 B
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			40 lines
		
	
	
		
			964 B
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <?php
 | |
| 
 | |
| namespace BookStack\Http\Controllers;
 | |
| 
 | |
| use BookStack\Auth\User;
 | |
| use Illuminate\Http\Request;
 | |
| 
 | |
| class UserSearchController extends Controller
 | |
| {
 | |
|     /**
 | |
|      * Search users in the system, with the response formatted
 | |
|      * for use in a select-style list.
 | |
|      */
 | |
|     public function forSelect(Request $request)
 | |
|     {
 | |
|         $hasPermission = signedInUser() && (
 | |
|                    userCan('users-manage')
 | |
|                 || userCan('restrictions-manage-own')
 | |
|                 || userCan('restrictions-manage-all')
 | |
|         );
 | |
| 
 | |
|         if (!$hasPermission) {
 | |
|             $this->showPermissionError();
 | |
|         }
 | |
| 
 | |
|         $search = $request->get('search', '');
 | |
|         $query = User::query()
 | |
|             ->orderBy('name', 'asc')
 | |
|             ->take(20);
 | |
| 
 | |
|         if (!empty($search)) {
 | |
|             $query->where('name', 'like', '%' . $search . '%');
 | |
|         }
 | |
| 
 | |
|         return view('form.user-select-list', [
 | |
|             'users' => $query->get(),
 | |
|         ]);
 | |
|     }
 | |
| }
 |