Headline
CVE-2023-26468: security: [authkey:add] Restrict creation of API keys for users in th… · cerebrate-project/cerebrate@7ccf925
Cerebrate 1.12 does not properly consider organisation_id during creation of API keys.
@@ -71,8 +71,12 @@ public function add()
if (empty($currentUser[‘role’][‘perm_org_admin’])) {
$userConditions[‘id’] = $currentUser[‘id’];
} else {
$role_ids = $this->Users->Roles->find()->where([‘perm_admin’ => 0])->all()->extract(‘id’)->toList();
$userConditions[‘role_id IN’] = $role_ids;
$role_ids = $this->Users->Roles->find()->where([‘perm_admin’ => 0, ‘perm_org_admin’ => 0])->all()->extract(‘id’)->toList();
$userConditions[‘organisation_id’] = $currentUser[‘organisation_id’];
$userConditions[‘OR’] = [
[‘role_id IN’ => $role_ids],
[‘id’ => $currentUser[‘id’]],
];
}
}
$users = $this->Users->find(‘list’);