Commits

Zhang Huangbin committed 70090ad

Fixed: Incorrectly unset domainGlobalAdmin status in session after updating admin profile.
Thanks Tue <tt _at_ atorbital.com> and escu <cosmin.necula@gmail> for the report.

  • Participants
  • Parent commits 27eb99a

Comments (0)

Files changed (3)

           later).
 
     * Fixed:
-        - SECURITY ISSUE: Normal user can login and update their own profile,
-          includes mail quota.
+        - Incorrectly unset domainGlobalAdmin status in session after updating
+          admin profile.
+          Thanks Tue <tt _at_ atorbital.com> and escu <cosmin.necula@gmail> for
+          the report.
+        - [ldap] Normal user can login and update their own profile, includes
+          mail quota.
           Thanks Wesley MOUEDINE ASSABY <wesley _at_ aise.re> for the report.
 
     * Updated translations:

libs/mysql/user.py

         self.domain = self.mail.split('@', 1)[-1]
 
         # Pre-defined update key:value.
-        updates = {'modified': iredutils.getGMTTime(), 'isadmin': 0, }
+        updates = {'modified': iredutils.getGMTTime()}
 
         if self.profile_type == 'general':
             # Get settings of domain admin and global admin
             managed_domain=''
+            if 'domainadmin' in data:
+                # isadmin=1
+                updates['isadmin'] = 1
+                managed_domain=self.domain
+            else:
+                updates['isadmin'] = 0
+
             if session.get('domainGlobalAdmin'):
                 if 'domainGlobalAdmin' in data:
                     updates['isadmin'] = 1
             )
 
             # Update session immediately after updating SQL.
-            if not 'domainGlobalAdmin' in data and \
-               session.get('username') == self.mail:
-                session['domainGlobalAdmin'] = False
+            if profile_type == 'general':
+                if not 'domainGlobalAdmin' in data and \
+                   session.get('username') == self.mail:
+                    session['domainGlobalAdmin'] = False
 
             return (True,)
         except Exception, e:

libs/pgsql/user.py

         self.domain = self.mail.split('@', 1)[-1]
 
         # Pre-defined update key:value.
-        updates = {'modified': iredutils.getGMTTime(), 'isadmin': 0, }
+        updates = {'modified': iredutils.getGMTTime()}
 
         if self.profile_type == 'general':
             # Get settings of domain admin and global admin
             managed_domain=''
+            if 'domainadmin' in data:
+                # isadmin=1
+                updates['isadmin'] = 1
+                managed_domain=self.domain
+            else:
+                updates['isadmin'] = 0
+
             if session.get('domainGlobalAdmin'):
                 if 'domainGlobalAdmin' in data:
                     updates['isadmin'] = 1
             )
 
             # Update session immediately after updating SQL.
-            if not 'domainGlobalAdmin' in data and \
-               session.get('username') == self.mail:
-                session['domainGlobalAdmin'] = False
+            if profile_type == 'general':
+                if not 'domainGlobalAdmin' in data and \
+                   session.get('username') == self.mail:
+                    session['domainGlobalAdmin'] = False
 
             return (True,)
         except Exception, e: