From 6e55466718a22c39f7fd9910d856f8f9c249086e Mon Sep 17 00:00:00 2001
From: Robert Lyon <robertl@catalyst.net.nz>
Date: Fri, 22 Feb 2019 13:10:27 +1300
Subject: [PATCH] Security Bug 1817221: Stop admin from being able to suspend
 the 'root' user

behatnotneeded

Change-Id: I1e4b44f7fa39779eaf91c992e47d8e075b6cbe33
Signed-off-by: Robert Lyon <robertl@catalyst.net.nz>
---
 htdocs/admin/users/edit.php   | 5 +++++
 htdocs/auth/lib.php           | 5 +++++
 htdocs/lang/en.utf8/error.php | 1 +
 htdocs/lib/user.php           | 5 +++++
 4 files changed, 16 insertions(+)

diff --git a/htdocs/admin/users/edit.php b/htdocs/admin/users/edit.php
index 102da7c34f..cf9b27ddac 100644
--- a/htdocs/admin/users/edit.php
+++ b/htdocs/admin/users/edit.php
@@ -21,6 +21,11 @@ require_once('activity.php');
 require_once(get_config('docroot') . 'lib/antispam.php');
 
 $id = param_integer('id');
+if ($id == 0) {
+    // We shouldn't be editing / masquerading as 'root' user
+    throw new UserException(get_string('invaliduser', 'error'));
+}
+
 $user = new User;
 $user->find_by_id($id);
 $authobj = AuthFactory::create($user->authinstance);
diff --git a/htdocs/auth/lib.php b/htdocs/auth/lib.php
index a65b504db4..feb3bfb44f 100644
--- a/htdocs/auth/lib.php
+++ b/htdocs/auth/lib.php
@@ -890,6 +890,11 @@ function privacy_form($ignoreagreevalue = false, $ignoreformswitch = false) {
 function auth_check_required_fields() {
     global $USER, $SESSION;
 
+    if ($USER->get('id') == 0) {
+        // We shouldn't be checking either logged out user or User = 0
+        throw new ConfigSanityException(get_string('invaliduser', 'error'));
+    }
+
     // for the case we are mascarading as the user and we want to return to be admin user
     $restoreadmin = param_integer('restore', 0);
     $loginanyway = false;
diff --git a/htdocs/lang/en.utf8/error.php b/htdocs/lang/en.utf8/error.php
index 0569aabcbd..bd94935711 100644
--- a/htdocs/lang/en.utf8/error.php
+++ b/htdocs/lang/en.utf8/error.php
@@ -119,6 +119,7 @@ $string['blockinstancenotfound'] = 'Block instance with id %s not found.';
 $string['interactioninstancenotfound'] = 'Activity instance with id %s not found.';
 
 $string['invalidviewaction'] = 'Invalid page control action: %s';
+$string['invaliduser'] = 'Invalid user selected';
 
 $string['missingparamblocktype'] = 'Try selecting a block type to add first.';
 $string['missingparamcolumn'] = 'Missing column specification';
diff --git a/htdocs/lib/user.php b/htdocs/lib/user.php
index d2ec13add3..cce42787be 100644
--- a/htdocs/lib/user.php
+++ b/htdocs/lib/user.php
@@ -1422,6 +1422,11 @@ function get_user($userid) {
  * @param int $suspendinguserid The ID of the user who is performing the suspension
  */
 function suspend_user($suspendeduserid, $reason, $suspendinguserid=null) {
+    if ($suspendeduserid == 0) {
+        // We shouldn't be suspending 'root' user
+        throw new UserException(get_string('invaliduser', 'error'));
+    }
+
     if ($suspendinguserid === null) {
         global $USER;
         $suspendinguserid = $USER->get('id');
-- 
GitLab