Skip to content

Commit

Permalink
security breach on action case insensitivity
Browse files Browse the repository at this point in the history
  • Loading branch information
alterphp committed Oct 1, 2018
1 parent cabe45f commit 8d8c508
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/Security/AdminAuthorizationChecker.php
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@ public function isEasyAdminGranted(array $entityConfig, string $actionName, $sub

protected function getRequiredRole(array $entityConfig, string $actionName)
{
// Prevent from security breach: role for 'list' action was not required for 'List' nor 'LIST'...
$actionName = strtolower($actionName);

if (isset($entityConfig[$actionName]) && isset($entityConfig[$actionName]['role'])) {
return $entityConfig[$actionName]['role'];
} elseif (isset($entityConfig['role_prefix'])) {
Expand Down
47 changes: 47 additions & 0 deletions tests/Controller/UserRolesTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -191,4 +191,51 @@ public function testAdminGroupRolesFormMayDisplay()
$crawler->filter('form#edit-admingroup-form .field-easyadmin_admin_roles input[type="checkbox"]')->count()
);
}

public function testEntityActionsAreForbiddenOnCaseInsensitiveSpecificRoles()
{
$this->logIn(['ROLE_ADMIN']);

$this->client->followRedirects();

// Edit
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'edit', 'id' => 1]);
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
$this->assertSame(
'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
trim($crawler->filterXPath('//head/title')->text())
);
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'Edit', 'id' => 1]);
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
$this->assertSame(
'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
trim($crawler->filterXPath('//head/title')->text())
);
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'EDIT', 'id' => 1]);
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
$this->assertSame(
'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
trim($crawler->filterXPath('//head/title')->text())
);

// Show
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'show', 'id' => 1]);
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
$this->assertSame(
'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
trim($crawler->filterXPath('//head/title')->text())
);
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'Show', 'id' => 1]);
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
$this->assertSame(
'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
trim($crawler->filterXPath('//head/title')->text())
);
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'SHOW', 'id' => 1]);
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
$this->assertSame(
'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
trim($crawler->filterXPath('//head/title')->text())
);
}
}

0 comments on commit 8d8c508

Please sign in to comment.