CVE-2022-39291: Add permissions checking to API/Logs. Fixes unprivileged user being t… · ZoneMinder/zoneminder@34ffd92

@@ -20,6 +20,17 @@ class LogsController extends AppController {

‘paramType’ => ‘querystring’

);

public function beforeFilter() {

parent::beforeFilter();

global $user;

# We already tested for auth in appController, so we just need to test for specific permission

$canView = (!$user) || ($user[‘System’] != ‘None’);

if (!$canView) {

throw new UnauthorizedException(__(‘Insufficient Privileges’));

return;

}

}

/**

* index method

*

@@ -54,6 +65,12 @@ public function view($id = null) {

* @return void

*/

public function add() {

global $user;

$canAdd = (!$user) || (($user[‘System’] == ‘Edit’) || ZM_LOG_INJECT);

if (!$canAdd) {

throw new UnauthorizedException(__(‘Insufficient privileges’));

return;

}

if ($this->request->is(‘post’)) {

$this->Log->create();

if ($this->Log->save($this->request->data)) {

@@ -70,6 +87,13 @@ public function add() {

* @return void

*/

public function edit($id = null) {

global $user;

$canEdit = (!$user) || ($user[‘System’] == ‘Edit’);

if (!$canEdit) {

throw new UnauthorizedException(__(‘Insufficient privileges’));

return;

}

if (!$this->Log->exists($id)) {

throw new NotFoundException(__(‘Invalid log’));

}

@@ -91,6 +115,11 @@ public function edit($id = null) {

* @return void

*/

public function delete($id = null) {

$canDelete = (!$user) || ($user[‘System’] == ‘Edit’);

if (!$canDelete) {

throw new UnauthorizedException(__(‘Insufficient privileges’));

return;

}

$this->Log->id = $id;

if (!$this->Log->exists()) {

throw new NotFoundException(__(‘Invalid log’));