From 04322b24dfd65934c4b13ecc7ac269d3109ee223 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Fri, 6 Dec 2024 07:25:02 +0100
Subject: [PATCH] fix: [user editing] fixed for roles <= community admin, fixes
 #198

---
 src/Controller/UsersController.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php
index 0e3ba37..6ec1e95 100644
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@@ -320,11 +320,12 @@ class UsersController extends AppController
                     }
                     return $data;
                 };
-                $params['beforeSave'] = function ($data) use ($currentUser, $validRoles, $validOrgIds) {
-                    if (!in_array($data['role_id'], array_keys($validRoles)) && $this->ACL->getUser()['id'] != $data['id']) {
+                $params['beforeSave'] = function ($data) use ($currentUser, $validRoles, $validOrgIds, $params) {
+                    // only run these checks if the user CAN edit them and if the values are actually set in the request
+                    if (in_array('role_id', $params['fields']) && isset($data['role_id']) && !in_array($data['role_id'], array_keys($validRoles)) && $this->ACL->getUser()['id'] != $data['id']) {
                         throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
                     }
-                    if (!in_array($data['organisation_id'], $validOrgIds)) {
+                    if (in_array('organisation_id', $params['fields']) && isset($data['organisation_id']) && !in_array($data['organisation_id'], $validOrgIds)) {
                         throw new MethodNotAllowedException(__('You cannot assign the chosen organisation to a user.'));
                     }
                     return $data;