cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [individual:getValidToEdit] Restricted ACL to prevent one org_admin to edit another from the same org

refacto/CRUDComponent
Sami Mokaddem 2023-02-24 11:18:48 +01:00
parent af8f1e9e74
commit 0833a8c0e4
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/Model/Table/IndividualsTable.php
View File

@ -124,12 +124,15 @@ class IndividualsTable extends AppTable
public function getValidIndividualsToEdit(object $currentUser): array public function getValidIndividualsToEdit(object $currentUser): array
{ {
$adminRoles = $this->Users->Roles->find('list')->select(['id'])->where(['perm_admin' => 1])->all()->toArray(); $validRoles = $this->Users->Roles->find('list')->select(['id'])->where(['perm_admin' => 0, 'perm_org_admin' => 0])->all()->toArray();
$validIndividualIds = $this->Users->find('list')->select(['individual_id'])->where( $validIndividualIds = $this->Users->find('list')->select(['individual_id'])->where(
[ [
'organisation_id' => $currentUser['organisation_id'], 'organisation_id' => $currentUser['organisation_id'],
'disabled' => 0, 'disabled' => 0,
'role_id NOT IN' => array_keys($adminRoles) 'OR' => [
['role_id IN' => array_keys($validRoles)],
['id' => $currentUser['id']],
]
] ]
)->all()->toArray(); )->all()->toArray();
return array_keys($validIndividualIds); return array_keys($validIndividualIds);