Skip to content

Commit 8d8c508

Browse files
alterphpalterphp
committed
security breach on action case insensitivity
1 parent cabe45f commit 8d8c508

File tree

2 files changed

+50
-0
lines changed

2 files changed

+50
-0
lines changed

src/Security/AdminAuthorizationChecker.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,9 @@ public function isEasyAdminGranted(array $entityConfig, string $actionName, $sub
6262

6363
protected function getRequiredRole(array $entityConfig, string $actionName)
6464
{
65+
// Prevent from security breach: role for 'list' action was not required for 'List' nor 'LIST'...
66+
$actionName = strtolower($actionName);
67+
6568
if (isset($entityConfig[$actionName]) && isset($entityConfig[$actionName]['role'])) {
6669
return $entityConfig[$actionName]['role'];
6770
} elseif (isset($entityConfig['role_prefix'])) {

tests/Controller/UserRolesTest.php

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -191,4 +191,51 @@ public function testAdminGroupRolesFormMayDisplay()
191191
$crawler->filter('form#edit-admingroup-form .field-easyadmin_admin_roles input[type="checkbox"]')->count()
192192
);
193193
}
194+
195+
public function testEntityActionsAreForbiddenOnCaseInsensitiveSpecificRoles()
196+
{
197+
$this->logIn(['ROLE_ADMIN']);
198+
199+
$this->client->followRedirects();
200+
201+
// Edit
202+
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'edit', 'id' => 1]);
203+
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
204+
$this->assertSame(
205+
'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
206+
trim($crawler->filterXPath('//head/title')->text())
207+
);
208+
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'Edit', 'id' => 1]);
209+
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
210+
$this->assertSame(
211+
'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
212+
trim($crawler->filterXPath('//head/title')->text())
213+
);
214+
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'EDIT', 'id' => 1]);
215+
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
216+
$this->assertSame(
217+
'You must be granted ROLE_TEST_EDIT_PRODUCT role to perform this entity action ! (403 Forbidden)',
218+
trim($crawler->filterXPath('//head/title')->text())
219+
);
220+
221+
// Show
222+
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'show', 'id' => 1]);
223+
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
224+
$this->assertSame(
225+
'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
226+
trim($crawler->filterXPath('//head/title')->text())
227+
);
228+
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'Show', 'id' => 1]);
229+
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
230+
$this->assertSame(
231+
'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
232+
trim($crawler->filterXPath('//head/title')->text())
233+
);
234+
$crawler = $this->getBackendPage(['entity' => 'Product', 'action' => 'SHOW', 'id' => 1]);
235+
$this->assertSame(403, $this->client->getResponse()->getStatusCode());
236+
$this->assertSame(
237+
'You must be granted ROLE_TEST_SHOW_PRODUCT role to perform this entity action ! (403 Forbidden)',
238+
trim($crawler->filterXPath('//head/title')->text())
239+
);
240+
}
194241
}

0 commit comments

Comments
 (0)