mirror of https://github.com/MISP/MISP
fix: [security] Org admins cannot delete site admin accounts see #9121
parent
e0bc2d57e5
commit
b2bb4f817b
|
@ -748,7 +748,7 @@ class ACLComponent extends Component
|
|||
'otp' => array('*'),
|
||||
'hotp' => array('*'),
|
||||
'totp_new' => array('*'),
|
||||
'totp_delete' => array('perm_site_admin'),
|
||||
'totp_delete' => array('perm_admin'),
|
||||
'searchGpgKey' => array('*'),
|
||||
'fetchGpgKey' => array('*'),
|
||||
'histogram' => array('*'),
|
||||
|
|
|
@ -572,7 +572,7 @@ class UsersController extends AppController
|
|||
{
|
||||
$user = $this->User->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => $this->__adminFetchConditions($id),
|
||||
'conditions' => $this->__adminFetchConditions($id, $edit=False),
|
||||
'contain' => [
|
||||
'UserSetting',
|
||||
'Role',
|
||||
|
@ -851,9 +851,6 @@ class UsersController extends AppController
|
|||
// MISP automatically chooses the first available option for the user as the selected setting (usually user)
|
||||
// Org admin is downgraded to a user
|
||||
// Now we make an exception for the already assigned role, both in the form and the actual edit.
|
||||
if (!empty($userToEdit['Role']['perm_site_admin'])) {
|
||||
throw new NotFoundException(__('Invalid user'));
|
||||
}
|
||||
$allowedRole = $userToEdit['User']['role_id'];
|
||||
$params = array('conditions' => array(
|
||||
'OR' => array(
|
||||
|
@ -1562,7 +1559,7 @@ class UsersController extends AppController
|
|||
public function admin_quickEmail($user_id)
|
||||
{
|
||||
$user = $this->User->find('first', array(
|
||||
'conditions' => $this->__adminFetchConditions($user_id),
|
||||
'conditions' => $this->__adminFetchConditions($user_id, $edit=False),
|
||||
'recursive' => -1
|
||||
));
|
||||
$error = false;
|
||||
|
@ -3004,7 +3001,7 @@ class UsersController extends AppController
|
|||
* @return array
|
||||
* @throws NotFoundException
|
||||
*/
|
||||
private function __adminFetchConditions($id)
|
||||
private function __adminFetchConditions($id, $edit = True)
|
||||
{
|
||||
if (empty($id)) {
|
||||
throw new NotFoundException(__('Invalid user'));
|
||||
|
@ -3014,6 +3011,9 @@ class UsersController extends AppController
|
|||
$user = $this->Auth->user();
|
||||
if (!$user['Role']['perm_site_admin']) {
|
||||
$conditions['User.org_id'] = $user['org_id']; // org admin
|
||||
if ($edit) {
|
||||
$conditions['Role.perm_site_admin'] = False;
|
||||
}
|
||||
}
|
||||
return $conditions;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue