cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] Group admin ACL 

- group admin can inject user into organisation not managed by themselves

- as reported by Jeroen Pinoy (@wachizungu)
pull/196/head
iglocska 2024-11-28 16:56:51 +01:00
parent da4bd943b7
commit 1c8bcc045e
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Controller/UsersController.php
View File

@ -320,10 +320,13 @@ class UsersController extends AppController
} }
return $data; return $data;
}; };
$params['beforeSave'] = function ($data) use ($currentUser, $validRoles) { $params['beforeSave'] = function ($data) use ($currentUser, $validRoles, $validOrgIds) {
if (!in_array($data['role_id'], array_keys($validRoles)) && $this->ACL->getUser()['id'] != $data['id']) { if (!in_array($data['role_id'], array_keys($validRoles)) && $this->ACL->getUser()['id'] != $data['id']) {
throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.')); throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
} }
if (!in_array($data['organisation_id'], $validOrgIds)) {
throw new MethodNotAllowedException(__('You cannot assign the chosen organisation to a user.'));
}
return $data; return $data;
}; };
} }