fix: [individual:getValidToEdit] Restricted ACL to prevent one org_admin to edit another from the same org

refacto/CRUDComponent
Sami Mokaddem 2023-02-24 11:18:48 +01:00
parent af8f1e9e74
commit 0833a8c0e4
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
1 changed files with 5 additions and 2 deletions

View File

@ -124,12 +124,15 @@ class IndividualsTable extends AppTable
public function getValidIndividualsToEdit(object $currentUser): array
{
$adminRoles = $this->Users->Roles->find('list')->select(['id'])->where(['perm_admin' => 1])->all()->toArray();
$validRoles = $this->Users->Roles->find('list')->select(['id'])->where(['perm_admin' => 0, 'perm_org_admin' => 0])->all()->toArray();
$validIndividualIds = $this->Users->find('list')->select(['individual_id'])->where(
[
'organisation_id' => $currentUser['organisation_id'],
'disabled' => 0,
'role_id NOT IN' => array_keys($adminRoles)
'OR' => [
['role_id IN' => array_keys($validRoles)],
['id' => $currentUser['id']],
]
]
)->all()->toArray();
return array_keys($validIndividualIds);