Skip to content

Commit

Permalink
fix(1.x,suspend): suspended users can abuse avatar upload (#3890)
Browse files Browse the repository at this point in the history 
* fix(1.x,suspend): suspended users can abuse avatar upload

* test: works as expected

* Apply fixes from StyleCI

---------

Co-authored-by: StyleCI Bot <bot@styleci.io>
  • Loading branch information
@SychO9 @StyleCIBot
SychO9 and StyleCIBot authored Sep 22, 2023
1 parent daeab48 commit b1383a9
Show file tree
Hide file tree
Showing 5 changed files with 122 additions and 3 deletions.
7 changes: 7 additions & 0 deletions extensions/suspend/src/Access/UserPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,11 @@ public function suspend(User $actor, User $user)
return $this->deny();
}
}

public function uploadAvatar(User $actor, User $user)
{
if ($actor->suspended_until && $actor->suspended_until->isFuture()) {
return $this->deny();
}
}
}
Binary file added extensions/suspend/tests/fixtures/avatar.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
103 changes: 103 additions & 0 deletions extensions/suspend/tests/integration/api/users/UploadAvatarTest.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
<?php

/*
* This file is part of Flarum.
*
* For detailed copyright and license information, please view the
* LICENSE file that was distributed with this source code.
*/

namespace Flarum\Suspend\Tests\integration\api\users;

use Carbon\Carbon;
use Flarum\Testing\integration\RetrievesAuthorizedUsers;
use Flarum\Testing\integration\TestCase;
use Laminas\Diactoros\UploadedFile;
use Psr\Http\Message\ResponseInterface;

class UploadAvatarTest extends TestCase
{
use RetrievesAuthorizedUsers;

protected function setUp(): void
{
parent::setUp();

$this->extension('flarum-suspend');

$this->prepareDatabase([
'users' => [
['id' => 1, 'username' => 'Muralf', 'email' => 'muralf@machine.local', 'is_email_confirmed' => 1],
$this->normalUser(),
['id' => 3, 'username' => 'acme', 'email' => 'acme@machine.local', 'is_email_confirmed' => 1, 'suspended_until' => Carbon::now()->addDay(), 'suspend_message' => 'You have been suspended.', 'suspend_reason' => 'Suspended for acme reasons.'],
['id' => 4, 'username' => 'acme4', 'email' => 'acme4@machine.local', 'is_email_confirmed' => 1],
['id' => 5, 'username' => 'acme5', 'email' => 'acme5@machine.local', 'is_email_confirmed' => 1, 'suspended_until' => Carbon::now()->subDay(), 'suspend_message' => 'You have been suspended.', 'suspend_reason' => 'Suspended for acme reasons.'],
],
'groups' => [
['id' => 5, 'name_singular' => 'can_edit_users', 'name_plural' => 'can_edit_users', 'is_hidden' => 0]
],
'group_user' => [
['user_id' => 2, 'group_id' => 5]
],
'group_permission' => [
['permission' => 'user.edit', 'group_id' => 5],
]
]);
}

/**
* @dataProvider allowedToUploadAvatar
* @test
*/
public function can_suspend_user_if_allowed(?int $authenticatedAs, int $targetUserId, string $message)
{
$response = $this->sendUploadAvatarRequest($authenticatedAs, $targetUserId);

$this->assertEquals(200, $response->getStatusCode(), $response->getBody()->getContents());
}

/**
* @dataProvider unallowedToUploadAvatar
* @test
*/
public function cannot_suspend_user_if_not_allowed(?int $authenticatedAs, int $targetUserId, string $message)
{
$response = $this->sendUploadAvatarRequest($authenticatedAs, $targetUserId);

$this->assertEquals(403, $response->getStatusCode(), $response->getBody()->getContents());
}

public function allowedToUploadAvatar(): array
{
return [
[1, 2, 'Admin can upload avatar for any user'],
[2, 3, 'User with permission can upload avatar for suspended user'],
[2, 2, 'User with permission can upload avatar for self'],
[2, 4, 'User with permission can upload avatar for other user'],
[1, 1, 'Admin can upload avatar for self'],
[5, 5, 'Suspended user can upload avatar for self if suspension expired'],
];
}

public function unallowedToUploadAvatar(): array
{
return [
[3, 3, 'Suspended user cannot upload avatar for self'],
[3, 2, 'Suspended user cannot upload avatar for other user'],
[4, 3, 'User without permission cannot upload avatar for suspended user'],
[4, 2, 'User without permission cannot upload avatar for other user'],
[5, 2, 'Suspended user cannot upload avatar for other user if suspension expired'],
];
}

protected function sendUploadAvatarRequest(?int $authenticatedAs, int $targetUserId): ResponseInterface
{
return $this->send(
$this->request('POST', "/api/users/$targetUserId/avatar", [
'authenticatedAs' => $authenticatedAs,
])->withHeader('Content-Type', 'multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW')->withUploadedFiles([
'avatar' => new UploadedFile(__DIR__.'/../../../fixtures/avatar.png', 0, UPLOAD_ERR_OK, 'avatar.png', 'image/png')
])
);
}
}
11 changes: 11 additions & 0 deletions framework/core/src/User/Access/UserPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,15 @@ public function editCredentials(User $actor, User $user)
return $this->allow();
}
}

public function uploadAvatar(User $actor, User $user)
{
if ($actor->id === $user->id) {
return $this->allow();
}

if ($actor->id !== $user->id) {
return $actor->can('edit', $user);
}
}
}
4 changes: 1 addition & 3 deletions framework/core/src/User/Command/UploadAvatarHandler.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,7 @@ public function handle(UploadAvatar $command)

$user = $this->users->findOrFail($command->userId);

if ($actor->id !== $user->id) {
$actor->assertCan('edit', $user);
}
$actor->assertCan('uploadAvatar', $user);

$this->validator->assertValid(['avatar' => $command->file]);

Expand Down

0 comments on commit b1383a9

Please sign in to comment.