fix: [authkeys] tighten requirements to add authkeys for other org admins

- site admin: can add to all - org admin: can add to all in org, except site admin - everyone else: can add to self only
2022-01-17 17:16:03 +01:00 · 2022-01-17 17:16:03 +01:00 · 6d13d4aba0
parent e8f57dc40f
commit 6d13d4aba0
2 changed files with 27 additions and 4 deletions
--- a/src/Controller/AuthKeysController.php
+++ b/src/Controller/AuthKeysController.php
@ -64,8 +64,30 @@ class AuthKeysController extends AppController
    public function add()
    {
        $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate');
+        $validUsers = [];
+        $userConditions = [];
+        $currentUser = $this->ACL->getUser();
+        if (empty($currentUser['role']['perm_admin'])) {
+            if (empty($currentUser['role']['perm_org_admin'])) {
+                $userConditions['id'] = $currentUser['id'];
+            } else {
+                $role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0])->all()->extract('id')->toList();
+                $userConditions['role_id IN'] = $role_ids;
+            }
+        }
+        $users = $this->Users->find('list');
+        if (!empty($userConditions)) {
+            $users->where($userConditions);
+        }
+        $users = $users->order(['username' => 'asc'])->all()->toList();
        $this->CRUD->add([
-            'displayOnSuccess' => 'authkey_display'
+            'displayOnSuccess' => 'authkey_display',
+            'beforeSave' => function($data) use ($users) {
+                if (!in_array($data['user_id'], array_keys($users))) {
+                    return false;
+                }
+                return $data;
+            }
        ]);
        $responsePayload = $this->CRUD->getResponsePayload([
            'displayOnSuccess' => 'authkey_display'
@ -75,9 +97,7 @@ class AuthKeysController extends AppController
        }
        $this->loadModel('Users');
        $dropdownData = [
-            'user' => $this->Users->find('list', [
-                'sort' => ['username' => 'asc']
-            ])
+            'user' => $users
        ];
        $this->set(compact('dropdownData'));
    }
--- a/src/Controller/Component/CRUDComponent.php
+++ b/src/Controller/Component/CRUDComponent.php
@ -175,6 +175,9 @@ class CRUDComponent extends Component
            $data = $this->Table->patchEntity($data, $input, $patchEntityParams);
            if (isset($params['beforeSave'])) {
                $data = $params['beforeSave']($data);
+                if ($data === false) {
+                    throw new NotFoundException(__('Could not save {0} due to the input failing to meet expectations. Your input is bad and you should feel bad.', $this->ObjectAlias));
+                }
            }
            $savedData = $this->Table->save($data);
            if ($savedData !== false) {