1
0
mirror of https://github.com/delight-im/PHP-Auth.git synced 2025-10-24 20:36:06 +02:00

Fail safely in role checks when invalid input has been supplied

This commit is contained in:
Marco
2018-05-25 23:19:07 +02:00
parent 7a8508d56e
commit 9d08c939a0
2 changed files with 11 additions and 2 deletions

View File

@@ -270,8 +270,11 @@ final class Administration extends UserManager {
* @see Role
*/
public function doesUserHaveRole($userId, $role) {
if (empty($role) || !\is_numeric($role)) {
return false;
}
$userId = (int) $userId;
$role = (int) $role;
$rolesBitmask = $this->db->selectValue(
'SELECT roles_mask FROM ' . $this->dbTablePrefix . 'users WHERE id = ?',
@@ -282,6 +285,8 @@ final class Administration extends UserManager {
throw new UnknownIdException();
}
$role = (int) $role;
return ($rolesBitmask & $role) === $role;
}

View File

@@ -1563,9 +1563,13 @@ final class Auth extends UserManager {
* @see Role
*/
public function hasRole($role) {
$role = (int) $role;
if (empty($role) || !\is_numeric($role)) {
return false;
}
if (isset($_SESSION) && isset($_SESSION[self::SESSION_FIELD_ROLES])) {
$role = (int) $role;
return (((int) $_SESSION[self::SESSION_FIELD_ROLES]) & $role) === $role;
}
else {