pageflow 12.0.0 → 12.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5743e9c16455ddedda06ac7f2f335a5a6361b320
-  data.tar.gz: c8ba3dc3473a937a1a18fa8d95abd5dc36baec99
+  metadata.gz: 38b651a6838c18e932f4aa388ff6056538003958
+  data.tar.gz: 8fb568b33219a77b03288fccec3a910f290b8fc3
 SHA512:
-  metadata.gz: 55da5bc6a8c3305171d819d154a62eefcdd8341dbc0fe753fde956ece59f5f19709619796d3d1ba4ce2d3e61165260273a11d84a61f1c0f93877307af21c5da0
-  data.tar.gz: b9e360e1243a39c35299c12e152dadcd2eba5c03704823e445eb0ad666bdb5e528852901edfc37697450e00031451e9c435b134e8d09c6783a9300313bcf3003
+  metadata.gz: e7cfec9c5b6573463fbef5f19dae0591b4f0100ff5512aec0fde2eb057e53e2ac274509a90c6d212d13e66ddb8f240788f889bc5ba31818f4fa215266d81f83b
+  data.tar.gz: 36f4bc205f70ae0676f590442fbba3bda6cdbdaff9fa24aa676f394c4764be4f7e7196917a023c544f593faf1501957760e85609034cedeab9f0844a36bd4118

data/CHANGELOG.md

@@ -1,5 +1,30 @@
 # CHANGELOG
 
+### Version 12.0.1
+
+2017-08-25
+
+[Compare changes](https://github.com/codevise/pageflow/compare/v12.0.0...v12.0.1)
+
+#### Security Patch
+
+Prevent escalation of privileges
+([#845](https://github.com/codevise/pageflow/pull/845))
+
+There are two bugs in Pageflow 12.0.0 that allow signed in users
+to escalate their privileges.
+
+* With a manually crafted request, any signed in user can set the
+  admin flag on their own user account.
+
+* With a manually crafted request, a user with account manager role in
+  at least one account, can add users to arbitrary accounts. This can
+  be used to gain account manager privileges in any account.
+
+Affected versions: 12.0.0 (including all release candidates)
+Unaffected version: 0.11.x and older
+Versions fixes: 12.0.1
+
 ### Version 12.0.0
 
 2017-08-10

data/admins/pageflow/user.rb

@@ -2,6 +2,8 @@ module Pageflow
   ActiveAdmin.register User do
     menu priority: 2, if: proc { authorized?(:index, current_user) }
 
+    actions :all, except: [:new, :create]
+
     config.batch_actions = false
     config.clear_action_items!
 
@@ -24,7 +26,7 @@ module Pageflow
 
     action_item(:invite, only: :index) do
       link_to I18n.t('pageflow.admin.users.invite_user'),
-              new_admin_user_path,
+              invitation_admin_users_path,
               data: {rel: 'invite_user'}
     end
 
@@ -91,6 +93,21 @@ module Pageflow
 
     form(partial: 'form')
 
+    collection_action :invitation, method: [:get, :post] do
+      @page_title = I18n.t('pageflow.admin.users.invite_user')
+      @invitation_form = InvitationForm.new(invitation_form_params.fetch(:invitation_form, {}),
+                                            AccountPolicy::Scope.new(current_user, Account)
+                                              .member_addable)
+
+      if request.post?
+        if @invitation_form.save
+          redirect_to(admin_user_path(@invitation_form.target_user))
+        else
+          render status: 422
+        end
+      end
+    end
+
     collection_action 'me', title: I18n.t('pageflow.admin.users.account'), method: [:get, :patch] do
       if request.patch?
         if current_user.update_with_password(user_profile_params)
@@ -137,26 +154,11 @@ module Pageflow
         super.includes(account_memberships: :entity)
       end
 
-      def build_new_resource
-        InvitedUser.new(permitted_params[:user])
-      end
-
-      def create_resource(user)
-        verify_quota!(:users, params[:user][:account])
-        known_user = User.find_by(email: resource.email)
-        membership_user = known_user ? known_user : resource
-        membership_params = {user: membership_user,
-                             entity_id: resource.initial_account,
-                             entity_type: 'Pageflow::Account'}
-        if resource.initial_role.present?
-          membership_params.merge!(role: resource.initial_role.to_sym)
-        end
-        Membership.create(membership_params)
-        if known_user
-          known_user
-        else
-          super
-        end
+      def invitation_form_params
+        params.permit(invitation_form: {
+                        user: permitted_user_attributes,
+                        membership: [:entity_id, :role]
+                      })
       end
 
       def user_profile_params
@@ -165,36 +167,25 @@ module Pageflow
                                      :current_password,
                                      :password,
                                      :password_confirmation,
-                                     :locale,
-                                     :admin)
+                                     :locale)
       end
 
       def permitted_params
-        result = params.permit(user: [:first_name,
-                                      :last_name,
-                                      :email,
-                                      :password,
-                                      :password_confirmation,
-                                      :locale,
-                                      :admin,
-                                      :initial_role,
-                                      :initial_account])
-        restrict_attributes(params[:id], result[:user]) if result[:user]
-        result
+        params.permit(user: permitted_user_attributes)
       end
 
       private
 
-      def restrict_attributes(_id, attributes)
-        unless authorized?(:set_admin, current_user)
-          attributes.delete(:admin)
-        end
+      def permitted_user_attributes
+        attributes = [
+          :first_name,
+          :last_name,
+          :email,
+          :locale
+        ]
 
-        if AccountPolicy::Scope.new(current_user, Pageflow::Account).member_addable.empty? ||
-           action_name.to_sym != :create
-          attributes.delete(:initial_role)
-          attributes.delete(:initial_account)
-        end
+        attributes << :admin if authorized?(:set_admin, current_user)
+        attributes
       end
     end
   end

data/app/models/pageflow/account_member_query.rb

@@ -0,0 +1,62 @@
+module Pageflow
+  class AccountMemberQuery
+    class Scope
+      # Account whose members we scope
+      # @return {Pageflow::Account}
+      attr_reader :account
+
+      # Base scope which is further scoped according to account role
+      # @return [ActiveRecord::Relation<User>]
+      attr_reader :scope
+
+      # Create scope that can limit base scope to account members at
+      # or above a given role
+      #
+      # @param {Pageflow::Account} account
+      #   Required. Membership account to check.
+      # @param [ActiveRecord::Relation<User>] scope
+      #   Optional. Membership entity to check.
+      def initialize(account, scope = User.all)
+        @account = account
+        @scope = scope
+      end
+
+      # Scope to those members from scope on account who have at least
+      # role
+      #
+      # @param {String} role
+      #   Required. Minimum role that we compare against.
+      # @return [ActiveRecord::Relation<User>]
+      def with_role_at_least(role)
+        scope.joins(memberships_for_account_with_at_least_role(role))
+             .where(membership_is_present)
+      end
+
+      private
+
+      # @api private
+      def memberships_for_account_with_at_least_role(role)
+        options = {roles: Roles.at_least(role), account_id: account.id}
+
+        sanitize_sql(<<-SQL, options)
+          LEFT OUTER JOIN pageflow_memberships as
+            pageflow_account_memberships ON
+          pageflow_account_memberships.user_id = users.id AND
+          pageflow_account_memberships.role IN (:roles) AND
+          pageflow_account_memberships.entity_id = :account_id AND
+          pageflow_account_memberships.entity_type = 'Pageflow::Account'
+        SQL
+      end
+
+      # @api private
+      def membership_is_present
+        'pageflow_account_memberships.entity_id IS NOT NULL'
+      end
+
+      # @api private
+      def sanitize_sql(sql, interpolations)
+        ActiveRecord::Base.send(:sanitize_sql_array, [sql, interpolations])
+      end
+    end
+  end
+end

data/app/models/pageflow/invitation_form.rb

@@ -0,0 +1,58 @@
+module Pageflow
+  # @api private
+  class InvitationForm
+    include ActiveModel::Model
+
+    attr_reader :membership, :target_user, :available_accounts
+
+    def initialize(attributes, available_accounts)
+      @attributes = attributes
+      @available_accounts = available_accounts
+
+      @invited_user = InvitedUser.new(attributes[:user])
+      @target_user = existing_user || @invited_user
+
+      @membership = @target_user.memberships.build(entity: initial_account,
+                                                   role: initial_role)
+    end
+
+    def user
+      @invited_user.becomes(User)
+    end
+
+    def save
+      return false unless valid?
+      Pageflow.config.quotas.get(:users, initial_account).verify_available!
+
+      membership.save!
+    end
+
+    def valid?
+      (existing_user || @invited_user.valid?) && membership.valid?
+    end
+
+    def existing_member
+      @existing_member ||=
+        initial_account && initial_account.users.find_by_email(user.email)
+    end
+
+    private
+
+    def existing_user
+      @existing_user ||=
+        User.find_by_email(user.email)
+    end
+
+    def initial_account
+      @initial_account ||= available_accounts.find_by_id(initial_account_id)
+    end
+
+    def initial_account_id
+      @attributes.fetch(:membership, {})[:entity_id]
+    end
+
+    def initial_role
+      @attributes.fetch(:membership, {})[:role] || 'member'
+    end
+  end
+end

data/app/models/pageflow/invited_user.rb

@@ -2,8 +2,6 @@ module Pageflow
   # Specialized User class containing invitation logic used by in the
   # users admin.
   class InvitedUser < User
-    attr_accessor :initial_account, :initial_role
-
     before_create :prepare_invitation
     after_create :send_invitation
 

data/app/views/admin/users/_form.html.erb

@@ -1,34 +1,12 @@
-<%= admin_form_for([:admin, @user.becomes(User)]) do |f| %>
+<%= admin_form_for([:admin, resource]) do |f| %>
   <%= f.inputs "Details" do %>
-    <% if @user.new_record? %>
-      <% Pageflow::AccountPolicy::Scope
-           .new(current_user, Pageflow::Account).member_addable.each do |account| %>
-        <%= quota_state_description(:users, account) %>
-      <% end %>
-    <% end %>
-
-    <%= f.input :email, hint: f.object.new_record? &&
-                                I18n.t('pageflow.admin.users.email_invitation_hint') %>
+    <%= f.input :email %>
     <%= f.input :first_name %>
     <%= f.input :last_name %>
     <%= f.input :locale,
                 as: :select,
                 include_blank: false,
                 collection: available_locales_collection %>
-
-    <% if Pageflow::AccountPolicy::Scope
-        .new(current_user, Pageflow::Account).member_addable.any? && @user.new_record? %>
-      <%= f.input :initial_account,
-                  collection: membership_accounts_collection(@user,
-                                                             Pageflow::Membership.new(user: @user)),
-                  include_blank: false,
-                  selected: (params[:user][:initial_account] if params[:user].present?) %>
-      <%= f.input :initial_role,
-                  collection: membership_roles_collection('Pageflow::Account'),
-                  include_blank: false,
-                  hint: t('pageflow.admin.memberships.on_account.role.hint_html'),
-                  selected: (params[:user][:initial_role] if params[:user].present?) %>
-    <% end %>
     <%= f.input :admin if authorized?(:set_admin, current_user) %>
   <% end %>
   <%= f.actions %>

data/app/views/admin/users/invitation.html.erb

@@ -0,0 +1,42 @@
+<%= admin_form_for(@invitation_form, url: invitation_admin_users_path) do |f| %>
+  <%= f.semantic_fields_for(@invitation_form.membership) do |m| %>
+    <%= f.semantic_fields_for(@invitation_form.user) do |u| %>
+      <% if @invitation_form.existing_member %>
+        <ul class="errors">
+          <li>
+            <%= t('pageflow.admin.users.member_exists') %>
+            <%= link_to(t('pageflow.admin.users.member_exists_link'),
+                        admin_user_path(@invitation_form.existing_member)) %>
+          </li>
+        </ul>
+      <% end %>
+
+      <%= f.inputs "Details" do %>
+        <% @invitation_form.available_accounts.each do |account| %>
+          <%= quota_state_description(:users, account) %>
+        <% end %>
+
+        <%= u.input :email, hint: I18n.t('pageflow.admin.users.email_invitation_hint') %>
+        <%= u.input :first_name %>
+        <%= u.input :last_name %>
+        <%= u.input :locale,
+                    as: :select,
+                    include_blank: false,
+                    collection: available_locales_collection %>
+        <%= m.input :entity_id,
+                    as: :select,
+                    collection: @invitation_form.available_accounts,
+                    include_blank: false,
+                    label: Pageflow::Membership.human_attribute_name(:account) %>
+        <%= m.input :role,
+                    collection: membership_roles_collection('Pageflow::Account'),
+                    include_blank: false,
+                    hint: t('pageflow.admin.memberships.on_account.role.hint_html') %>
+        <%= u.input :admin if authorized?(:set_admin, current_user) %>
+      <% end %>
+    <% end %>
+  <% end %>
+  <%= f.actions do %>
+    <%= f.action :submit, label: t('pageflow.admin.users.invite_user') %>
+  <% end %>
+<% end %>

data/config/locales/de.yml

@@ -869,6 +869,8 @@ de:
           delete_account_hint: Du möchtest die Anwendung nicht mehr nutzen?
           deleted: Dein Benutzerkonto wurde gelöscht.
           updated: Dein Profil wurde aktualisiert.
+        member_exists: Ein Benutzer mit der angegebenen E-Mail-Adresse ist bereits Mitglied des Kontos.
+        member_exists_link: Benutzer anzeigen
         no_accounts: Keine Konten
         no_entries: Keine Beiträge
         none: Sie haben keine Beiträge.

data/config/locales/en.yml

@@ -869,6 +869,8 @@ en:
           delete_account_hint: You don't want to continue using Pageflow?
           deleted: Your account has been deleted. You may sign-up for a new one at any time!
           updated: Your profile has been updated.
+        member_exists: A user with the given email address is already member of the account.
+        member_exists_link: View user
         no_accounts: No members
         no_entries: No stories
         none: There are no stories.

data/lib/pageflow/version.rb

@@ -1,3 +1,3 @@
 module Pageflow
-  VERSION = '12.0.0'.freeze
+  VERSION = '12.0.1'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pageflow
 version: !ruby/object:Gem::Version
-  version: 12.0.0
+  version: 12.0.1
 platform: ruby
 authors:
 - Codevise Solutions Ltd
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-10 00:00:00.000000000 Z
+date: 2017-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -1612,6 +1612,7 @@ files:
 - app/models/concerns/pageflow/suspendable.rb
 - app/models/concerns/pageflow/uploaded_file.rb
 - app/models/pageflow/account.rb
+- app/models/pageflow/account_member_query.rb
 - app/models/pageflow/audio_file.rb
 - app/models/pageflow/audio_file_url_templates.rb
 - app/models/pageflow/chapter.rb
@@ -1630,6 +1631,7 @@ files:
 - app/models/pageflow/home_button.rb
 - app/models/pageflow/image_file.rb
 - app/models/pageflow/image_file_url_templates.rb
+- app/models/pageflow/invitation_form.rb
 - app/models/pageflow/invited_user.rb
 - app/models/pageflow/membership.rb
 - app/models/pageflow/null_user.rb
@@ -1679,6 +1681,7 @@ files:
 - app/views/admin/users/_form.html.erb
 - app/views/admin/users/_quota_exhausted.html.erb
 - app/views/admin/users/delete_me.html.erb
+- app/views/admin/users/invitation.html.erb
 - app/views/admin/users/me.html.erb
 - app/views/components/pageflow/admin/add_membership_button_if_needed.rb
 - app/views/components/pageflow/admin/custom_scopes_renderer.rb