]> BookStack Code Mirror - bookstack/commitdiff
projects / bookstack / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 32516f7)
Guests: Prevented access to profile routes
authorDan Brown <redacted>
Sat, 26 Aug 2023 13:07:48 +0000 (14:07 +0100)
committerDan Brown <redacted>
Sat, 26 Aug 2023 13:07:48 +0000 (14:07 +0100)
Prevention of action on certain routes for guest user when public access
is enabled. Could not see a way this could be a security issue, beyond a
mild nuisance that'd only be visible if public users can edit, which
would present larger potential nuisance anyway.

app/Users/Controllers/UserController.php patch | blob | history
tests/PublicActionTest.php patch | blob | history

diff --git a/app/Users/Controllers/UserController.php b/app/Users/Controllers/UserController.php
index 1c1b7ba23903ae48465ac81ade2f742bb507ad5d..0cd48948f8ccc79a461931f141f8cb333bf41043 100644 (file)
--- a/app/Users/Controllers/UserController.php
+++ b/app/Users/Controllers/UserController.php
@@ -103,6 +103,7 @@ class UserController extends Controller
      */
     public function edit(int $id, SocialAuthService $socialAuthService)
     {
+        $this->preventGuestAccess();
         $this->checkPermissionOrCurrentUser('users-manage', $id);
 
         $user = $this->userRepo->getById($id);
@@ -133,6 +134,7 @@ class UserController extends Controller
     public function update(Request $request, int $id)
     {
         $this->preventAccessInDemoMode();
+        $this->preventGuestAccess();
         $this->checkPermissionOrCurrentUser('users-manage', $id);
 
         $validated = $this->validate($request, [
@@ -176,6 +178,7 @@ class UserController extends Controller
      */
     public function delete(int $id)
     {
+        $this->preventGuestAccess();
         $this->checkPermissionOrCurrentUser('users-manage', $id);
 
         $user = $this->userRepo->getById($id);
@@ -192,6 +195,7 @@ class UserController extends Controller
     public function destroy(Request $request, int $id)
     {
         $this->preventAccessInDemoMode();
+        $this->preventGuestAccess();
         $this->checkPermissionOrCurrentUser('users-manage', $id);
 
         $user = $this->userRepo->getById($id);
diff --git a/tests/PublicActionTest.php b/tests/PublicActionTest.php
index 6f0e2f1d3bb4d886684af5e7ee3863926a552460..1e4dcbfb7b80df50c843ed6ff1e0bd591b2aec63 100644 (file)
--- a/tests/PublicActionTest.php
+++ b/tests/PublicActionTest.php
@@ -207,4 +207,16 @@ class PublicActionTest extends TestCase
 
         $this->withHtml($resp)->assertLinkExists($page->getUrl('/edit'));
     }
+
+    public function test_public_user_cannot_view_or_update_their_profile()
+    {
+        $this->setSettings(['app-public' => 'true']);
+        $guest = $this->users->guest();
+
+        $resp = $this->get($guest->getEditUrl());
+        $this->assertPermissionError($resp);
+
+        $resp = $this->put($guest->getEditUrl(), ['name' => 'My new guest name']);
+        $this->assertPermissionError($resp);
+    }
 }
The core source code for the BookStack project.