| 标题 | Craftcms CMS 5.10.1 Authorization Bypass |
|---|
| 描述 | Missing Authorization Check Allows Non-Admin CP Users to Reorder Global Sets
The `reorder-sets` action in Craft CMS's `GlobalsController` is missing the `requireAdmin()` check that the adjacent `save-set` and `delete-set` actions both enforce. Any authenticated CP user can POST to `/actions/globals/reorder-sets` and permanently reorder all global sets in the project config, regardless of whether they have admin access. The reordering is written through to the project config and persists across requests.
### Details
`GlobalsController` exposes three administrative actions for managing global set structure. Two of them gate on admin status; the third does not:
```php
// vendor/craftcms/cms/src/controllers/GlobalsController.php
public function actionSaveSet(): ?Response
{
$this->requirePostRequest();
$this->requireAdmin(); // enforced
// ...
}
public function actionReorderSets(): Response
{
$this->requirePostRequest();
$this->requireAcceptsJson();
// requireAdmin() is absent
$setIds = Json::decode($this->request->getRequiredBodyParam('ids'));
Craft::$app->getGlobals()->reorderSets($setIds);
return $this->asSuccess();
}
public function actionDeleteSet(): Response
{
$this->requirePostRequest();
$this->requireAcceptsJson();
$this->requireAdmin(); // enforced
// ...
}
```
`reorderSets` writes the new order into the project config via `$projectConfig->set()`:
```php
// vendor/craftcms/cms/src/services/Globals.php
public function reorderSets(array $setIds): bool
{
$projectConfig = Craft::$app->getProjectConfig();
$uidsByIds = [];
foreach ($setIds as $setId) {
$uidsByIds[$setId] = Db::uidById(Table::GLOBALSETS, $setId);
}
foreach ($uidsByIds as $setId => $uid) {
$sortOrder = array_search($setId, $setIds) + 1;
$projectConfig->set(ProjectConfig::PATH_GLOBAL_SETS . '.' . $uid . '.sortOrder', $sortOrder);
}
return true;
}
```
The project config change is applied immediately and persisted. Because any authenticated CP user satisfies `requirePostRequest()` and `requireAcceptsJson()`, the effective access control for this action is only "has a CP session." |
|---|
| 来源 | ⚠️ https://github.com/craftcms/cms/commit/9bd05c91e6a7e6da5e949ec41a31c220c059aa04 |
|---|
| 用户 | geochen (UID 78995) |
|---|
| 提交 | 2026-06-07 05時24分 (29 日前) |
|---|
| 管理 | 2026-07-05 20時26分 (29 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 376387 [Craft CMS 直到 4.18.0.1 reorder-sets Endpoint GlobalsController.php actionReorderSets 权限提升] |
|---|
| 积分 | 20 |
|---|