From d8113a33049faea71aaa9d7a8e41385153bcdf8e Mon Sep 17 00:00:00 2001 From: Romain Quetiez Date: Tue, 18 Aug 2015 13:48:12 +0000 Subject: [PATCH] #1130 CAS authentication security leak when cas_memberof is left empty (already committed into branch 2.1.0) SVN:trunk[3685] --- core/userrights.class.inc.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php index 133c721cf..defbe38d0 100644 --- a/core/userrights.class.inc.php +++ b/core/userrights.class.inc.php @@ -1303,8 +1303,9 @@ class CAS_SelfRegister implements iSelfRegister } else { - // No membership required, anybody will pass - $bFound = true; + // No membership: no way to create the user that should exist prior to authentication + phpCAS::log("User ".phpCAS::getUser().": missing user account in iTop (or iTop badly configured, Cf setting cas_memberof)"); + $bFound = false; } if (!$bFound)