new: [User] Add setting to limit site admin roles to instance's host org.

2023-10-04 12:40:04 +02:00 · 2023-10-04 12:40:04 +02:00 · 02e173b769
parent b6386674c4
commit 02e173b769
2 changed files with 18 additions and 0 deletions
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -6407,6 +6407,14 @@ class Server extends AppModel
                    'type' => 'boolean',
                    'null' => true
                ),
+                'limit_site_admins_to_host_org' => array(
+                    'level' => self::SETTING_RECOMMENDED,
+                    'description' => __('If enabled, it will only be possible to assign site admin roles to users belonging to the instance\'s host org.'),
+                    'value' => false,
+                    'test' => 'testBool',
+                    'type' => 'boolean',
+                    'null' => true
+                ),
                'disable_browser_cache' => array(
                    'level' => 0,
                    'description' => __('If enabled, HTTP headers that block browser cache will be send. Static files (like images or JavaScripts) will still be cached, but not generated pages.'),
--- a/app/Model/User.php
+++ b/app/Model/User.php
@ -262,6 +262,16 @@ class User extends AppModel
        if (empty($user['nids_sid'])) {
            $user['nids_sid'] = mt_rand(1000000, 9999999);
        }
+        if (!empty(Configure::read('Security.limit_site_admins_to_host_org'))){
+            if (!empty($user['role_id']) and !empty($user['org_id'] and $user['org_id'] != Configure::read('MISP.host_org_id'))){
+                $role = $this->Role->find('first', array(
+                    'conditions' => array('Role.id' => $user['role_id'])
+                ));
+                if (!empty($role) and $role['Role']['perm_site_admin'] === true){
+                    $this->invalidate('role_id', "Site admin roles can only be assigned to users of the host org on this instance.");
+                }
+            }
+        }
        return true;
    }