Fail safely in role checks when invalid input has been supplied

2025-08-08 09:06:29 +02:00 · 2018-05-25 23:19:07 +02:00
parent 7a8508d56e
commit 9aa52034fc
2 changed files with 11 additions and 2 deletions
--- a/src/Administration.php
+++ b/src/Administration.php
@@ -270,8 +270,11 @@ final class Administration extends UserManager {
 	 * @see Role
 	 */
 	public function doesUserHaveRole($userId, $role) {
+		if (empty($role) || !\is_numeric($role)) {
+			return false;
+		}
+
 		$userId = (int) $userId;
-		$role = (int) $role;

 		$rolesBitmask = $this->db->selectValue(
 			'SELECT roles_mask FROM ' . $this->dbTablePrefix . 'users WHERE id = ?',
@@ -282,6 +285,8 @@ final class Administration extends UserManager {
 			throw new UnknownIdException();
 		}

+		$role = (int) $role;
+
 		return ($rolesBitmask & $role) === $role;
 	}

--- a/src/Auth.php
+++ b/src/Auth.php
@@ -1563,9 +1563,13 @@ final class Auth extends UserManager {
 	 * @see Role
 	 */
 	public function hasRole($role) {
-		$role = (int) $role;
+		if (empty($role) || !\is_numeric($role)) {
+			return false;
+		}

 		if (isset($_SESSION) && isset($_SESSION[self::SESSION_FIELD_ROLES])) {
+			$role = (int) $role;
+
 			return (((int) $_SESSION[self::SESSION_FIELD_ROLES]) & $role) === $role;
 		}
 		else {