DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2024-12-26 06:04:08 -08:00
Code Issues Actions 11 Packages Projects Releases Wiki Activity

Merge pull request #13932 from snipe/features/use_allowlist_for_user_logging

Browse source 
Use allowlist for user observer logging
This commit is contained in:
snipe 2023-11-22 23:01:52 +00:00 committed by GitHub
parent e269415fec ba127be344
commit bb0ba0bebe
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 78 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/Http/Controllers/Auth/LoginController.php
View file

@ -56,7 +56,6 @@ class LoginController extends Controller
parent::__construct(); parent::__construct();
$this->middleware('guest', ['except' => ['logout', 'postTwoFactorAuth', 'getTwoFactorAuth', 'getTwoFactorEnroll']]); $this->middleware('guest', ['except' => ['logout', 'postTwoFactorAuth', 'getTwoFactorAuth', 'getTwoFactorEnroll']]);
Session::put('backUrl', \URL::previous()); Session::put('backUrl', \URL::previous());
// $this->ldap = $ldap;
$this->saml = $saml; $this->saml = $saml;
} }
@ -82,7 +81,6 @@ class LoginController extends Controller
} }
if (Setting::getSettings()->login_common_disabled == '1') { if (Setting::getSettings()->login_common_disabled == '1') {
\Log::debug('login_common_disabled is set to 1 - return a 403');
return view('errors.403'); return view('errors.403');
} }

7
app/Http/Controllers/ProfileController.php
View file

@ -134,6 +134,7 @@ class ProfileController extends Controller
]; ];
$validator = \Validator::make($request->all(), $rules); $validator = \Validator::make($request->all(), $rules);
$validator->after(function ($validator) use ($request, $user) { $validator->after(function ($validator) use ($request, $user) {
if (! Hash::check($request->input('current_password'), $user->password)) { if (! Hash::check($request->input('current_password'), $user->password)) {
$validator->errors()->add('current_password', trans('validation.custom.hashed_pass')); $validator->errors()->add('current_password', trans('validation.custom.hashed_pass'));
@ -159,12 +160,14 @@ class ProfileController extends Controller
}); });
if (! $validator->fails()) { if (! $validator->fails()) {
$user->password = Hash::make($request->input('password')); $user->password = Hash::make($request->input('password'));
$user->save(); // We have to use saveQuietly here because for some reason this method was calling the User Oserver twice :(
$user->saveQuietly();
// Log the user out of other devices // Log the user out of other devices
Auth::logoutOtherDevices($request->input('password')); Auth::logoutOtherDevices($request->input('password'));
return redirect()->route('account.password.index')->with('success', 'Password updated!'); return redirect()->route('account')->with('success', trans('passwords.password_change'));
} }
return redirect()->back()->withInput()->withErrors($validator); return redirect()->back()->withInput()->withErrors($validator);

91
app/Observers/UserObserver.php
View file

@ -17,47 +17,78 @@ class UserObserver
public function updating(User $user) public function updating(User $user)
{ {
// ONLY allow these fields to be stored
$allowed_fields = [
'email',
'activated',
'first_name',
'last_name',
'website',
'country',
'gravatar',
'location_id',
'phone',
'jobtitle',
'manager_id',
'employee_num',
'username',
'notes',
'company_id',
'ldap_import',
'locale',
'two_factor_enrolled',
'two_factor_optin',
'department_id',
'address',
'address2',
'city',
'state',
'zip',
'remote',
'start_date',
'end_date',
'autoassign_licenses',
'vip',
'password'
];
$changed = []; $changed = [];
foreach ($user->getRawOriginal() as $key => $value) { foreach ($user->getRawOriginal() as $key => $value) {
if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) { // Make sure the info is in the allow fields array
if (in_array($key, $allowed_fields)) {
$changed[$key]['old'] = $user->getRawOriginal()[$key]; // Check and see if the value changed
$changed[$key]['new'] = $user->getAttributes()[$key]; if ($user->getRawOriginal()[$key] != $user->getAttributes()[$key]) {
// Do not store the hashed password in changes $changed[$key]['old'] = $user->getRawOriginal()[$key];
if ($key == 'password') { $changed[$key]['new'] = $user->getAttributes()[$key];
$changed['password']['old'] = '*************';
$changed['password']['new'] = '*************';
}
// Do not store last login in changes // Do not store the hashed password in changes
if ($key == 'last_login') { if ($key == 'password') {
unset($changed['last_login']); $changed['password']['old'] = '*************';
unset($changed['last_login']); $changed['password']['new'] = '*************';
} }
if ($key == 'permissions') {
unset($changed['permissions']);
unset($changed['permissions']);
}
if ($key == 'remember_token') {
unset($changed['remember_token']);
unset($changed['remember_token']);
} }
} }
} }
$logAction = new Actionlog(); if (count($changed) > 0) {
$logAction->item_type = User::class; $logAction = new Actionlog();
$logAction->item_id = $user->id; $logAction->item_type = User::class;
$logAction->target_type = User::class; // can we instead say $logAction->item = $asset ? $logAction->item_id = $user->id;
$logAction->target_id = $user->id; $logAction->target_type = User::class; // can we instead say $logAction->item = $asset ?
$logAction->created_at = date('Y-m-d H:i:s'); $logAction->target_id = $user->id;
$logAction->user_id = Auth::id(); $logAction->created_at = date('Y-m-d H:i:s');
$logAction->log_meta = json_encode($changed); $logAction->user_id = Auth::id();
$logAction->logaction('update'); $logAction->log_meta = json_encode($changed);
$logAction->logaction('update');
}
} }
/** /**

1
resources/lang/en/passwords.php
View file

@ -5,4 +5,5 @@ return [
'user' => 'If a matching user with a valid email address exists in our system, a password recovery email has been sent.', 'user' => 'If a matching user with a valid email address exists in our system, a password recovery email has been sent.',
'token' => 'This password reset token is invalid or expired, or does not match the username provided.', 'token' => 'This password reset token is invalid or expired, or does not match the username provided.',
'reset' => 'Your password has been reset!', 'reset' => 'Your password has been reset!',
'password_change' => 'Your password has been updated!',
]; ];

18
resources/views/account/view-assets.blade.php
View file

@ -10,15 +10,17 @@
@section('content') @section('content')
@if ($acceptances = \App\Models\CheckoutAcceptance::forUser(Auth::user())->pending()->count()) @if ($acceptances = \App\Models\CheckoutAcceptance::forUser(Auth::user())->pending()->count())
<div class="col-md-12"> <div class="row">
<div class="alert alert alert-warning fade in"> <div class="col-md-12">
<i class="fas fa-exclamation-triangle faa-pulse animated"></i> <div class="alert alert alert-warning fade in">
<i class="fas fa-exclamation-triangle faa-pulse animated"></i>
<strong> <strong>
<a href="{{ route('account.accept') }}" style="color: white;"> <a href="{{ route('account.accept') }}" style="color: white;">
{{ trans('general.unaccepted_profile_warning', array('count' => $acceptances)) }} {{ trans('general.unaccepted_profile_warning', array('count' => $acceptances)) }}
</a> </a>
</strong> </strong>
</div>
</div> </div>
</div> </div>
@endif @endif