base: restrict changing a user id

while setting an initial user id should be allowed for any user which can create a person, changing an already set user id can have security implications, so we protect it with a more strict permission

base: restrict changing a user id
while setting an initial user id should be allowed for any user which can create a person, changing an already set user id can have security implications, so we protect it with a more strict permission
45d16764 · Jérome Perrin · b9cdfb58 · 45d16764 · 45d16764
Commit 45d16764 authored Aug 17, 2020 by Jérome Perrin
2 changed files
--- a/bt5/erp5_base/DocumentTemplateItem/portal_components/document.erp5.Person.py
+++ b/bt5/erp5_base/DocumentTemplateItem/portal_components/document.erp5.Person.py
@@ -36,6 +36,8 @@ from erp5.component.mixin.EncryptedPasswordMixin import EncryptedPasswordMixin
 from erp5.component.mixin.LoginAccountProviderMixin import LoginAccountProviderMixin
 from erp5.component.mixin.ERP5UserMixin import ERP5UserMixin
 from Products.DCWorkflow.DCWorkflow import ValidationFailed
+from Products.CMFCore.utils import _checkPermission
+from Products.CMFCore.exceptions import AccessControl_Unauthorized

 try:
  from Products import PluggableAuthService
@@ -216,12 +218,15 @@ class Person(Node, LoginAccountProviderMixin, EncryptedPasswordMixin, ERP5UserMi
      - we want to prevent duplicated user ids, but only when
        PAS _AND_ ERP5LoginUserManager are used
    """
-    if value != self.getUserId():
+    existing_user_id = self.getUserId()
+    if value != existing_user_id:
      if value:
        self.__checkUserIdAvailability(
          pas_plugin_class=ERP5LoginUserManager,
          user_id=value,
        )
+      if existing_user_id and not _checkPermission(Permissions.ManageUsers, self):
+        raise AccessControl_Unauthorized('setUserId')
      self._baseSetUserId(value)

  security.declareProtected(Permissions.ModifyPortalContent, 'initUserId')

--- a/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testPerson.py
+++ b/bt5/erp5_core_test/TestTemplateItem/portal_components/test.erp5.testPerson.py
@@ -258,6 +258,17 @@ class TestPerson(ERP5TypeTestCase):
    p.setPassword('secret')
    self.assertTrue(p.getPassword())

+  def testSetUserIdSecurity(self):
+    # Changing an already set user id needs "manage users" permissions,
+    # but setting an initial user id does not.
+    p = self._makeOne(user_id=None)
+    p.manage_permission(Permissions.ManageUsers, [], 0)
+    p.setUserId('initial_user_id')
+    self.tic()
+    self.assertRaises(Unauthorized, p.setUserId, 'something_else')
+    self.abort()
+    self.assertRaises(Unauthorized, p.edit, user_id='something_else')
+
  def testPasswordFormat(self):
    p = self._makeOne(id='person')
    p._setEncodedPassword('pass_A', format='A')