From 9f1338ee2a032c7e6ca7af24b75229dbf01f24ef Mon Sep 17 00:00:00 2001 From: Romain Quetiez Date: Tue, 18 Aug 2015 13:42:47 +0000 Subject: [PATCH] #1130 CAS authentication security leak when cas_memberof is left empty SVN:2.1.0[3684] --- core/userrights.class.inc.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php index bb488b438..76c7cfc2b 100644 --- a/core/userrights.class.inc.php +++ b/core/userrights.class.inc.php @@ -1303,8 +1303,9 @@ class CAS_SelfRegister implements iSelfRegister } else { - // No membership required, anybody will pass - $bFound = true; + // No membership: no way to create the user that should exist prior to authentication + phpCAS::log("User ".phpCAS::getUser().": missing user account in iTop (or iTop badly configured, Cf setting cas_memberof)"); + $bFound = false; } if (!$bFound)