security: fix CVE 2022 46172 (#4275)

* fallback to current user in user_write, add flag to disable user creation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update api and web ui Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update default flows Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add cve post to website Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-23 14:12:58 +01:00
parent 44bf9a890e
commit 47d79ac28c
17 changed files with 167 additions and 25 deletions
--- a/blueprints/example/flows-enrollment-2-stage.yaml
+++ b/blueprints/example/flows-enrollment-2-stage.yaml
@ -95,7 +95,8 @@ entries:
      name: default-enrollment-user-write
    id: default-enrollment-user-write
    model: authentik_stages_user_write.userwritestage
-    attrs: {}
+    attrs:
+      can_create_users: true
  - identifiers:
      target: !KeyOf flow
      stage: !KeyOf default-enrollment-prompt-first
--- a/blueprints/example/flows-enrollment-email-verification.yaml
+++ b/blueprints/example/flows-enrollment-email-verification.yaml
@ -114,6 +114,7 @@ entries:
    model: authentik_stages_user_write.userwritestage
    attrs:
      create_users_as_inactive: true
+      can_create_users: true
  - identifiers:
      target: !KeyOf flow
      stage: !KeyOf default-enrollment-prompt-first
--- a/blueprints/example/flows-recovery-email-verification.yaml
+++ b/blueprints/example/flows-recovery-email-verification.yaml
@ -63,6 +63,8 @@ entries:
      name: default-recovery-user-write
    id: default-recovery-user-write
    model: authentik_stages_user_write.userwritestage
+    attrs:
+      can_create_users: false
  - identifiers:
      name: default-recovery-identification
    id: default-recovery-identification