Bug in Company Page company user creation? ( Security release 202412.0)

victor.vanherpt
victor.vanherpt Spryker Solution Partner Posts: 67 🪐 - Explorer
in Spryker Development

Hi, I come here because I tried to apply Security release 202412.0 to our project.

As it turns out, when I enable the 2.30.0 spryker-shop/company-page version module (as per the doc https://docs.spryker.com/docs/about/all/releases/security-release-notes-202412.0.html#fix-the-vulnerability) Our customers are then unable to create company users in their company.

I believe this is because the \SprykerShop\Yves\CompanyPage\Form\Constraint\CompanyUserCustomerRelationConstraintValidator::isValidCustomer function will always return false when $idCustomer is null (which is always null when creating a new user)

https://github.com/spryker-shop/company-page/blob/484e1d2022dee348f060c6d982f85c9cb63092e0/src/SprykerShop/Yves/CompanyPage/Form/Constraint/CompanyUserCustomerRelationConstraintValidator.php#L56

image.png


This can be checked in the executeCreateAction function in UserController:
https://github.com/spryker-shop/company-page/blob/484e1d2022dee348f060c6d982f85c9cb63092e0/src/SprykerShop/Yves/CompanyPage/Controller/UserController.php#L174

image.png


I believe the logic is flawed, or am I missing something?

Tagged:

Comments

  • victor.vanherpt
    victor.vanherpt Spryker Solution Partner Posts: 67 🪐 - Explorer

    Apparently in the https://www.b2b-eu.demo-spryker.com/en/company/user I can't reproduce the issue (and the security release seems to be applied there, as there are the company roles permissions available)

    image.png

    I will further investigate the issue then :/

  • fsmeier
    fsmeier Senior Software Engineer & Developer Enablement Advocate Sprykee Posts: 1,095 ⚖️ - Guardians (admin)

    Heyhey @victor.vanherpt ,

    very interesting - keep us updated if you find the difference!

    All the bets,

    Florian

  • victor.vanherpt
    victor.vanherpt Spryker Solution Partner Posts: 67 🪐 - Explorer

    hey @fsmeier! could we somehow confirm what exact version is running on the online demoshops?

    I'd like to confirm wether the current https://www.b2b-eu.demo-spryker.com/ is using spryker-shop/company-page version 2.30.0 or higher.

    On the github b2b demo running locally the 202410.0 release by default I have 2.29.0., if I update spryker-shop/company-page to 2.30.0, I start getting the error. (2.30.0 is needed to avoid Account takeover from a different company according to https://docs.spryker.com/docs/about/all/releases/security-release-notes-202412.0.html#b2b-demo-shop-account-takeover-from-a-different-company )

    So I strongly believe this is a bug introduced by the 202412.0 security update's related spryker-shop/company-page update.

    image.png


    Where should we report this to get faster support? This is blocking us to deploy the security release, which is already a couple of months old and business wants to get it live.

  • victor.vanherpt
    victor.vanherpt Spryker Solution Partner Posts: 67 🪐 - Explorer
    edited February 19

    I reported through the partner portal.
    This is specially important for us, because there is another bug we discovered trying to create the company users via the backoffice (as a mitigation while the customers can't create their own).

    Trying to create a company user via https://backoffice.b2b-eu.demo-spryker.com/company-user-gui/list-company-user →add user (https://backoffice.b2b-eu.demo-spryker.com/company-user-gui/create-company-user ) will trigger a 500 error.

    Locally (and in our production site) i've checked and reproduced, got "cannot resolve store" error

    image.png
    image.png

    Edit: wrong screenshot)

Categories