Skip to content

Commit a7a19bf

Browse files
authored
Fix sensitive data exposure vulnerability in /pm/v2/users API endpoints (#573)
1 parent 7dd0ef9 commit a7a19bf

3 files changed

Lines changed: 87 additions & 10 deletions

File tree

core/Permissions/Create_Users.php

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
<?php
2+
3+
namespace WeDevs\PM\Core\Permissions;
4+
5+
use WeDevs\PM\Core\Permissions\Abstract_Permission;
6+
7+
class Create_Users extends Abstract_Permission {
8+
/**
9+
* Check if the current user has permission to create users.
10+
*
11+
* @return bool|\WP_Error
12+
*/
13+
public function check() {
14+
$user_id = get_current_user_id();
15+
16+
if ( empty( $user_id ) ) {
17+
return new \WP_Error(
18+
'rest_forbidden',
19+
__( 'You must be logged in to access this resource.', 'wedevs-project-manager' ),
20+
array( 'status' => 401 )
21+
);
22+
}
23+
24+
// Only allow administrators and users with create_users capability
25+
if ( current_user_can( 'create_users' ) ) {
26+
return true;
27+
}
28+
29+
return new \WP_Error(
30+
'rest_forbidden',
31+
__( 'You do not have permission to create users.', 'wedevs-project-manager' ),
32+
array( 'status' => 403 )
33+
);
34+
}
35+
}

core/Permissions/List_Users.php

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
<?php
2+
3+
namespace WeDevs\PM\Core\Permissions;
4+
5+
use WeDevs\PM\Core\Permissions\Abstract_Permission;
6+
7+
class List_Users extends Abstract_Permission {
8+
/**
9+
* Check if the current user has permission to list users.
10+
*
11+
* @return bool|\WP_Error
12+
*/
13+
public function check() {
14+
$user_id = get_current_user_id();
15+
16+
if ( empty( $user_id ) ) {
17+
return new \WP_Error(
18+
'rest_forbidden',
19+
__( 'You must be logged in to access this resource.', 'wedevs-project-manager' ),
20+
array( 'status' => 401 )
21+
);
22+
}
23+
24+
// Allow administrators and users with list_users capability
25+
if ( current_user_can( 'list_users' ) ) {
26+
return true;
27+
}
28+
29+
// Allow users with PM manage capability
30+
if ( wedevs_pm_user_can_access( wedevs_pm_manager_cap_slug() ) ) {
31+
return true;
32+
}
33+
34+
return new \WP_Error(
35+
'rest_forbidden',
36+
__( 'You do not have permission to list users.', 'wedevs-project-manager' ),
37+
array( 'status' => 403 )
38+
);
39+
}
40+
}

routes/user.php

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,26 @@
11
<?php
22

33
use WeDevs\PM\Core\Router\Router;
4-
use WeDevs\PM\Core\Permissions\Authentic;
54

65
$wedevs_pm_router = Router::singleton();
76

7+
// User listing endpoints - require list_users capability or PM manager role
88
$wedevs_pm_router->get( 'users', 'WeDevs/PM/User/Controllers/User_Controller@index' )
9-
->permission(['WeDevs\PM\Core\Permissions\Authentic']);
10-
$wedevs_pm_router->post( 'users', 'WeDevs/PM/User/Controllers/User_Controller@store' )
11-
->permission(['WeDevs\PM\Core\Permissions\Authentic']);
9+
->permission(['WeDevs\PM\Core\Permissions\List_Users']);
1210
$wedevs_pm_router->get( 'users/{id}', 'WeDevs/PM/User/Controllers/User_Controller@show' )
13-
->permission(['WeDevs\PM\Core\Permissions\Authentic']);
14-
11+
->permission(['WeDevs\PM\Core\Permissions\List_Users']);
1512
$wedevs_pm_router->get( 'users/search', 'WeDevs/PM/User/Controllers/User_Controller@search' )
16-
->permission(['WeDevs\PM\Core\Permissions\Authentic']);
13+
->permission(['WeDevs\PM\Core\Permissions\List_Users']);
14+
$wedevs_pm_router->get( 'user-all-projects', 'WeDevs/PM/User/Controllers/User_Controller@get_user_all_projects' )
15+
->permission(['WeDevs\PM\Core\Permissions\List_Users']);
16+
17+
// User creation - require create_users capability
18+
$wedevs_pm_router->post( 'users', 'WeDevs/PM/User/Controllers/User_Controller@store' )
19+
->permission(['WeDevs\PM\Core\Permissions\Create_Users']);
20+
1721
//$wedevs_pm_router->put( 'users/{user_id}/roles', 'WeDevs/PM/User/Controllers/User_Controller@update_role' )
1822
// ->permission(['WeDevs\PM\Core\Permissions\Project_Manage_Capability']);
1923

24+
// User meta update - already checks manage_options in controller
2025
$wedevs_pm_router->post( 'save_users_map_name', 'WeDevs/PM/User/Controllers/User_Controller@save_users_map_name' )
2126
->permission(['WeDevs\PM\Core\Permissions\Authentic']);
22-
23-
$wedevs_pm_router->get( 'user-all-projects', 'WeDevs/PM/User/Controllers/User_Controller@get_user_all_projects' )
24-
->permission(['WeDevs\PM\Core\Permissions\Authentic']);

0 commit comments

Comments
 (0)