#1130 CAS authentication security leak when cas_memberof is left empty (already committed into branch 2.1.0)

SVN:trunk[3685]
2026-02-13 07:24:13 +01:00 · 2015-08-18 13:48:12 +00:00
parent 3fc19bf160
commit d8113a3304
1 changed files with 3 additions and 2 deletions
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -1303,8 +1303,9 @@ class CAS_SelfRegister implements iSelfRegister
 		}
 		else
 		{
-			// No membership required, anybody will pass
-			$bFound = true;
+			// No membership: no way to create the user that should exist prior to authentication
+			phpCAS::log("User ".phpCAS::getUser().": missing user account in iTop (or iTop badly configured, Cf setting cas_memberof)");
+			$bFound = false;
 		}
 		
 		if (!$bFound)