Zhang Huangbin avatar Zhang Huangbin committed 70090ad

Fixed: Incorrectly unset domainGlobalAdmin status in session after updating admin profile.
Thanks Tue <tt _at_ atorbital.com> and escu <cosmin.necula@gmail> for the report.

Comments (0)

Files changed (3)

           later).
 
     * Fixed:
-        - SECURITY ISSUE: Normal user can login and update their own profile,
-          includes mail quota.
+        - Incorrectly unset domainGlobalAdmin status in session after updating
+          admin profile.
+          Thanks Tue <tt _at_ atorbital.com> and escu <cosmin.necula@gmail> for
+          the report.
+        - [ldap] Normal user can login and update their own profile, includes
+          mail quota.
           Thanks Wesley MOUEDINE ASSABY <wesley _at_ aise.re> for the report.
 
     * Updated translations:

libs/mysql/user.py

         self.domain = self.mail.split('@', 1)[-1]
 
         # Pre-defined update key:value.
-        updates = {'modified': iredutils.getGMTTime(), 'isadmin': 0, }
+        updates = {'modified': iredutils.getGMTTime()}
 
         if self.profile_type == 'general':
             # Get settings of domain admin and global admin
             managed_domain=''
+            if 'domainadmin' in data:
+                # isadmin=1
+                updates['isadmin'] = 1
+                managed_domain=self.domain
+            else:
+                updates['isadmin'] = 0
+
             if session.get('domainGlobalAdmin'):
                 if 'domainGlobalAdmin' in data:
                     updates['isadmin'] = 1
             )
 
             # Update session immediately after updating SQL.
-            if not 'domainGlobalAdmin' in data and \
-               session.get('username') == self.mail:
-                session['domainGlobalAdmin'] = False
+            if profile_type == 'general':
+                if not 'domainGlobalAdmin' in data and \
+                   session.get('username') == self.mail:
+                    session['domainGlobalAdmin'] = False
 
             return (True,)
         except Exception, e:

libs/pgsql/user.py

         self.domain = self.mail.split('@', 1)[-1]
 
         # Pre-defined update key:value.
-        updates = {'modified': iredutils.getGMTTime(), 'isadmin': 0, }
+        updates = {'modified': iredutils.getGMTTime()}
 
         if self.profile_type == 'general':
             # Get settings of domain admin and global admin
             managed_domain=''
+            if 'domainadmin' in data:
+                # isadmin=1
+                updates['isadmin'] = 1
+                managed_domain=self.domain
+            else:
+                updates['isadmin'] = 0
+
             if session.get('domainGlobalAdmin'):
                 if 'domainGlobalAdmin' in data:
                     updates['isadmin'] = 1
             )
 
             # Update session immediately after updating SQL.
-            if not 'domainGlobalAdmin' in data and \
-               session.get('username') == self.mail:
-                session['domainGlobalAdmin'] = False
+            if profile_type == 'general':
+                if not 'domainGlobalAdmin' in data and \
+                   session.get('username') == self.mail:
+                    session['domainGlobalAdmin'] = False
 
             return (True,)
         except Exception, e:
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.