Merge pull request #491 from jjrom/develop

[SECURITY ISSUE] Correct issue that allow to get private ressources w…

Author: jjrom

app/resto/core/RestoConstants.php

@@ -20,7 +20,7 @@ class RestoConstants
     // [IMPORTANT] Starting resto 7.x, default routes are defined in RestoRouter class
 
     // resto version
-    const VERSION = '9.6.0';
+    const VERSION = '9.6.1';
 
     /* ============================================================
      *              NEVER EVER TOUCH THESE VALUES

app/resto/core/RestoRouter.php

@@ -326,7 +326,7 @@ private function instantiateRoute($validRoute, $method, $params)
                 'auth' => $validRoute[0]
             );
         }
-
+        
         /*
          * Authentication is required
          */

app/resto/core/RestoUser.php

@@ -205,14 +205,16 @@ public function __construct($profile, $context)
          */
         else {
 
-            if (isset($profile['username'])) {
-                $this->profile = (new UsersFunctions($this->context->dbDriver))->getUserProfile('username', $profile['username']);
-            }
-            else {
-                $this->profile = (new UsersFunctions($this->context->dbDriver))->getUserProfile('email', $profile['email'], array(
+            $target = isset($profile['username']) ? array('username', $profile['username']) : array('email', $profile['email']);
+
+            if ( array_key_exists('password', $profile) ) {
+                $this->profile = (new UsersFunctions($this->context->dbDriver))->getUserProfile($target[0], $target[1], array(
                     'password' => $profile['password'] ?? null
                 ));
             }
+            else {
+                $this->profile = (new UsersFunctions($this->context->dbDriver))->getUserProfile($target[0], $target[1]);
+            }
 
             if (!$this->profile) {
                 $this->profile = $this->unregistered;

app/resto/core/dbfunctions/UsersFunctions.php

@@ -206,12 +206,13 @@ public function getUserProfile($fieldName, $fieldValue, $params = array())
         /*
          * Check password
          */
-        if (isset($params['password'])) {
+        if ( array_key_exists('password', $params) ) {
+
             // External authentication
             if ($results[0]['password'] === str_repeat('*', 60)) {
                 RestoLogUtil::httpError(400, 'External user');
             }
-                
+            
             if (!password_verify($params['password'], $results[0]['password'])) {
                 RestoLogUtil::httpError(401);
             }