From b88f9333dea8ccde72d8a6a5013a51f0bc94a07c Mon Sep 17 00:00:00 2001 From: nilsteampassnet Date: Sun, 17 Mar 2019 20:24:33 +0100 Subject: [PATCH] 2.1.27 Fix for #2564, #2563, #2560, #2536, #2505, #2503, #2439 --- changelog.txt | 1 + sources/identify.php | 11 +++++++++-- sources/items.queries.php | 36 ++++++++++++++++++------------------ 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/changelog.txt b/changelog.txt index 230373cc2..995059644 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,5 +1,6 @@ 2.1.27 35/ + #2564 Permissions problem #2563 Unable to add item via API #2560 Fix an issue for one time password changes if current user is not root #2536 low 40bit RC4 - pdf export? diff --git a/sources/identify.php b/sources/identify.php index cec6ba2c4..cad31cc79 100644 --- a/sources/identify.php +++ b/sources/identify.php @@ -628,7 +628,7 @@ function identifyUser( $ldapconn, $SETTINGS['ldap_search_base'], $filter, - array('dn', 'mail', 'givenname', 'sn', 'samaccountname', 'shadowexpire') + array('dn', 'mail', 'givenname', 'sn', 'samaccountname', 'shadowexpire', 'useraccountcontrol') ); if ($debugLdap == 1) { fputs( @@ -830,6 +830,13 @@ function identifyUser( exit(); } + // Is user disabled? + $user_info_from_ad = $adldap->user()->info($auth_username, array("useraccountcontrol")); + if ((($user_info[0]['useraccountcontrol'][0] & 2) == 0) === false) { + echo '[{"value" : "user_disabled'.$auth_username.'", "text":""}]'; + exit(); + } + // Update user's password if ($ldapConnection === true) { $data['pw'] = $pwdlib->createPasswordHash($passwordClear); @@ -930,7 +937,7 @@ function identifyUser( //Because we didn't use adLDAP, we need to set the user info from the ldap_get_entries result $user_info_from_ad = $result; } else { - $user_info_from_ad = $adldap->user()->info($auth_username, array("mail", "givenname", "sn")); + $user_info_from_ad = $adldap->user()->info($auth_username, array("mail", "givenname", "sn", "useraccountcontrol")); } DB::insert( diff --git a/sources/items.queries.php b/sources/items.queries.php index 5a700450a..40dc25747 100644 --- a/sources/items.queries.php +++ b/sources/items.queries.php @@ -2601,29 +2601,29 @@ $accessLevel = 2; $arrTmp = []; foreach (explode(';', $_SESSION['fonction_id']) as $role) { - $access = DB::queryFirstRow( - "SELECT type FROM ".prefix_table("roles_values")." WHERE role_id = %i AND folder_id = %i", - $role, - $post_id - ); - if ($access['type'] === "R") { - array_push($arrTmp, 1); - } elseif ($access['type'] === "W") { - array_push($arrTmp, 0); - } elseif ($access['type'] === "ND") { - array_push($arrTmp, 2); - } else { - // Ensure to give access Right if allowed folder - if (in_array($post_id, $_SESSION['groupes_visibles']) === true) { + if (empty($role) === false) { + $access = DB::queryFirstRow( + "SELECT type FROM ".prefix_table("roles_values")." WHERE role_id = %i AND folder_id = %i", + $role, + $post_id + ); + if ($access['type'] === "R") { + array_push($arrTmp, 1); + } elseif ($access['type'] === "W") { array_push($arrTmp, 0); + } elseif ($access['type'] === "ND") { + array_push($arrTmp, 2); } else { - array_push($arrTmp, 3); + // Ensure to give access Right if allowed folder + if (in_array($post_id, $_SESSION['groupes_visibles']) === true) { + array_push($arrTmp, 0); + } else { + array_push($arrTmp, 3); + } } } } - $accessLevel = min($arrTmp); - $uniqueLoadData['accessLevel'] = $accessLevel; - + // check if this folder is a PF. If yes check if saltket is set if ((!isset($_SESSION['user_settings']['encrypted_psk']) || empty($_SESSION['user_settings']['encrypted_psk'])) && $folderIsPf === true) { $showError = "is_pf_but_no_saltkey";