User security fix

Fix to resolve #405 by adding a check that compares POST id with SESSION id for none admin edits
2025-08-02 19:27:52 +02:00 · 2016-03-27 19:25:54 +01:00
parent 4980a54b0c
commit 2e2a22ee5a
1 changed files with 25 additions and 20 deletions
--- a/plugins/box/users/users.plugin.php
+++ b/plugins/box/users/users.plugin.php
@@ -229,25 +229,30 @@ class Users extends Frontend
                // Check csrf
                if (Security::check(Request::post('csrf'))) {
-                    if (Security::safeName(Request::post('login')) != '') {
+                    // Check for POST data manipulation
-                        if (Users::$users->update(Request::post('user_id'),
+                    if( ((int) Session::get('user_id') == (int) Request::post('user_id')) or (in_array(Session::get('user_role'), array('admin'))) ) {
                                                                array('login' => Security::safeName(Request::post('login')),
                                                                      'firstname' => Request::post('firstname'),
                                                                      'lastname'  => Request::post('lastname'),
                                                                      'email'     => Request::post('email'),
                                                                      'skype'     => Request::post('skype'),
                                                                      'about_me'  => Request::post('about_me'),
                                                                      'twitter'   => Request::post('twitter')))) {
-                            // Change password
+                        if (Security::safeName(Request::post('login')) != '') {
-                            if (trim(Request::post('new_password')) != '') {
+                            if (Users::$users->update(Request::post('user_id'),
-                                Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
+                                                                    array('login' => Security::safeName(Request::post('login')),
                                                                          'firstname' => Request::post('firstname'),
                                                                          'lastname'  => Request::post('lastname'),
                                                                          'email'     => Request::post('email'),
                                                                          'skype'     => Request::post('skype'),
                                                                          'about_me'  => Request::post('about_me'),
                                                                          'twitter'   => Request::post('twitter')))) {
                                // Change password
                                if (trim(Request::post('new_password')) != '') {
                                    Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
                                }
                                Notification::set('success', __('Your changes have been saved.', 'users'));
                                Request::redirect(Site::url().'/users/'.$user['id']);
                            }
                        } else { }
-                            Notification::set('success', __('Your changes have been saved.', 'users'));
+                    } else { die('Monstra says: This is not your profile...'); }
                            Request::redirect(Site::url().'/users/'.$user['id']);
                        }
                    } else { }
                } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }