composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-12 23:14:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°8534 - Prevent Admin, SuperUser from loose of rights (#774)

Browse Source 
* N°8534 - Prevent Admin & SuperUser from suicide
Prevent creation/modification of Administrator, SuperUser, REST User, combined with a Profile denying access to the backoffice
This commit is contained in:
Vincent Dumas
2025-11-17 14:17:18 +01:00
committed by GitHub
parent b8345de553
commit 53de040934
21 changed files with 201 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
core/userrights.class.inc.php
View File

@@ -404,14 +404,14 @@ abstract class User extends cmdbAbstractObject
}
if (!in_array(ADMIN_PROFILE_NAME, $aProfiles)) {
// Check if the user is yet allowed to modify Users
// Prevent a User to lose the right to modify Users
if (method_exists($oAddon, 'ResetCache')) {
$aCurrentProfiles = Session::Get('profile_list');
// Set the current profiles into a session variable (not yet in the database)
Session::Set('profile_list', $aProfiles);
$oAddon->ResetCache();
if (!$oAddon->IsActionAllowed($this, 'User', UR_ACTION_MODIFY, null)) {
if (!$oAddon->IsActionAllowed($this, get_class($this), UR_ACTION_MODIFY, null)) {
$this->m_aCheckIssues[] = Dict::S('Class:User/Error:CurrentProfilesHaveInsufficientRights');
}
$oAddon->ResetCache();
@@ -422,6 +422,20 @@ abstract class User extends cmdbAbstractObject
Session::Set('profile_list', $aCurrentProfiles);
}
}
// Prevent an administrator to remove their own admin profile
if (UserRights::IsAdministrator($this)) {
$this->m_aCheckIssues[] = Dict::S('Class:User/Error:AdminProfileCannotBeRemovedBySelf');
}
}
}
elseif ($this->IsPrivilegedUser()) {
// Prevent Privileged User to be saved with profiles denying the access to the backoffice
$oSet->Rewind();
while ($oUserProfile = $oSet->Fetch()) {
$sProfile = $oUserProfile->Get('profile');
if (in_array($sProfile, $aForbiddenProfiles)) {
$this->m_aCheckIssues[] = Dict::Format('Class:User/Error:PrivilegedUserMustHaveAccessToBackOffice', $sProfile);
}
}
}
}
@@ -635,6 +649,21 @@ abstract class User extends cmdbAbstractObject
}
return UserRights::GetUserId() == $this->GetKey();
}
private function IsPrivilegedUser(): bool
{
$aPrivilegedProfiles = ['Administrator' => '1', 'REST Services User' => '1024', 'SuperUser' => '117'];
$oSet = $this->Get('profile_list');
$oSet->Rewind();
while ($oUserProfile = $oSet->Fetch()) {
$iProfile = $oUserProfile->Get('profileid');
if (in_array($iProfile, $aPrivilegedProfiles)) {
return true;
}
}
return false;
}
}
/**