From 2e7aabf704c6a0d27f86992e040cab0d28f67bd9 Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <sami.mokaddem@circl.lu>
Date: Wed, 26 Jan 2022 16:10:33 +0100
Subject: [PATCH] fix: [users:toggle] Prevent users to disable admins

---
 src/Controller/Component/ACLComponent.php  |  3 +++
 src/Controller/Component/CRUDComponent.php |  3 +++
 src/Controller/UsersController.php         | 14 +++++++++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/Controller/Component/ACLComponent.php b/src/Controller/Component/ACLComponent.php
index a1c4533..57180c2 100644
--- a/src/Controller/Component/ACLComponent.php
+++ b/src/Controller/Component/ACLComponent.php
@@ -291,6 +291,9 @@ class ACLComponent extends Component
             return false;
         }
         if (!$currentUser['role']['perm_admin']) {
+            if ($user['role']['perm_admin']) {
+                return false; // org_admins cannot edit admins
+            }
             if (!$currentUser['role']['perm_org_admin']) {
                 return false;
             } else {
diff --git a/src/Controller/Component/CRUDComponent.php b/src/Controller/Component/CRUDComponent.php
index 8ec8692..1a1e733 100644
--- a/src/Controller/Component/CRUDComponent.php
+++ b/src/Controller/Component/CRUDComponent.php
@@ -967,6 +967,9 @@ class CRUDComponent extends Component
         }
 
         $data = $this->Table->get($id, $params);
+        if (isset($params['afterFind'])) {
+            $data = $params['afterFind']($data, $params);
+        }
         if ($this->request->is(['post', 'put'])) {
             if (isset($params['force_state'])) {
                 $data->{$fieldName} = $params['force_state'];
diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php
index bca2c5a..b81fde2 100644
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@@ -184,7 +184,19 @@ class UsersController extends AppController
 
     public function toggle($id, $fieldName = 'disabled')
     {
-        $this->CRUD->toggle($id, $fieldName);
+        $params = [
+            'contain' => 'Roles'
+        ];
+        $currentUser = $this->ACL->getUser();
+        if (!$currentUser['role']['perm_admin']) {
+            $params['afterFind'] = function ($user, &$params) use ($currentUser) {
+                if (!$this->ACL->canEditUser($currentUser, $user)) {
+                    throw new MethodNotAllowedException(__('You cannot edit the given user.'));
+                }
+                return $user;
+            };
+        }
+        $this->CRUD->toggle($id, $fieldName, $params);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
             return $responsePayload;