Security Bug 1817221: Stop admin from being able to suspend the 'root' user

behatnotneeded Change-Id: I1e4b44f7fa39779eaf91c992e47d8e075b6cbe33 Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>

Security Bug 1817221: Stop admin from being able to suspend the 'root' user
behatnotneeded Change-Id: I1e4b44f7fa39779eaf91c992e47d8e075b6cbe33 Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
6e554667 · Robert Lyon · 6dbc374d · 6e554667 · 6e554667 · 6e554667
Commit 6e554667 authored Feb 22, 2019 by Robert Lyon
4 changed files
--- a/htdocs/admin/users/edit.php
+++ b/htdocs/admin/users/edit.php
@@ -21,6 +21,11 @@ require_once('activity.php');
 require_once(get_config('docroot') . 'lib/antispam.php');

 $id = param_integer('id');
+if ($id == 0) {
+    // We shouldn't be editing / masquerading as 'root' user
+    throw new UserException(get_string('invaliduser', 'error'));
+}
+
 $user = new User;
 $user->find_by_id($id);
 $authobj = AuthFactory::create($user->authinstance);

--- a/htdocs/auth/lib.php
+++ b/htdocs/auth/lib.php
@@ -890,6 +890,11 @@ function privacy_form($ignoreagreevalue = false, $ignoreformswitch = false) {
 function auth_check_required_fields() {
    global $USER, $SESSION;

+    if ($USER->get('id') == 0) {
+        // We shouldn't be checking either logged out user or User = 0
+        throw new ConfigSanityException(get_string('invaliduser', 'error'));
+    }
+
    // for the case we are mascarading as the user and we want to return to be admin user
    $restoreadmin = param_integer('restore', 0);
    $loginanyway = false;

--- a/htdocs/lang/en.utf8/error.php
+++ b/htdocs/lang/en.utf8/error.php
@@ -119,6 +119,7 @@ $string['blockinstancenotfound'] = 'Block instance with id %s not found.';
 $string['interactioninstancenotfound'] = 'Activity instance with id %s not found.';

 $string['invalidviewaction'] = 'Invalid page control action: %s';
+$string['invaliduser'] = 'Invalid user selected';

 $string['missingparamblocktype'] = 'Try selecting a block type to add first.';
 $string['missingparamcolumn'] = 'Missing column specification';

--- a/htdocs/lib/user.php
+++ b/htdocs/lib/user.php
@@ -1422,6 +1422,11 @@ function get_user($userid) {
 * @param int $suspendinguserid The ID of the user who is performing the suspension
 */
 function suspend_user($suspendeduserid, $reason, $suspendinguserid=null) {
+    if ($suspendeduserid == 0) {
+        // We shouldn't be suspending 'root' user
+        throw new UserException(get_string('invaliduser', 'error'));
+    }
+
    if ($suspendinguserid === null) {
        global $USER;
        $suspendinguserid = $USER->get('id');