From 6d13d4aba0082a4bec862a8595ef3d50fe3574e8 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Mon, 17 Jan 2022 17:16:03 +0100
Subject: [PATCH] fix: [authkeys] tighten requirements to add authkeys for
 other org admins

- site admin: can add to all
- org admin: can add to all in org, except site admin
- everyone else: can add to self only
---
 src/Controller/AuthKeysController.php      | 28 ++++++++++++++++++----
 src/Controller/Component/CRUDComponent.php |  3 +++
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/src/Controller/AuthKeysController.php b/src/Controller/AuthKeysController.php
index 9e8ac03..454b922 100644
--- a/src/Controller/AuthKeysController.php
+++ b/src/Controller/AuthKeysController.php
@@ -64,8 +64,30 @@ class AuthKeysController extends AppController
     public function add()
     {
         $this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate');
+        $validUsers = [];
+        $userConditions = [];
+        $currentUser = $this->ACL->getUser();
+        if (empty($currentUser['role']['perm_admin'])) {
+            if (empty($currentUser['role']['perm_org_admin'])) {
+                $userConditions['id'] = $currentUser['id'];
+            } else {
+                $role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0])->all()->extract('id')->toList();
+                $userConditions['role_id IN'] = $role_ids;
+            }
+        }
+        $users = $this->Users->find('list');
+        if (!empty($userConditions)) {
+            $users->where($userConditions);
+        }
+        $users = $users->order(['username' => 'asc'])->all()->toList();
         $this->CRUD->add([
-            'displayOnSuccess' => 'authkey_display'
+            'displayOnSuccess' => 'authkey_display',
+            'beforeSave' => function($data) use ($users) {
+                if (!in_array($data['user_id'], array_keys($users))) {
+                    return false;
+                }
+                return $data;
+            }
         ]);
         $responsePayload = $this->CRUD->getResponsePayload([
             'displayOnSuccess' => 'authkey_display'
@@ -75,9 +97,7 @@ class AuthKeysController extends AppController
         }
         $this->loadModel('Users');
         $dropdownData = [
-            'user' => $this->Users->find('list', [
-                'sort' => ['username' => 'asc']
-            ])
+            'user' => $users
         ];
         $this->set(compact('dropdownData'));
     }
diff --git a/src/Controller/Component/CRUDComponent.php b/src/Controller/Component/CRUDComponent.php
index 4ebabff..4ebc674 100644
--- a/src/Controller/Component/CRUDComponent.php
+++ b/src/Controller/Component/CRUDComponent.php
@@ -175,6 +175,9 @@ class CRUDComponent extends Component
             $data = $this->Table->patchEntity($data, $input, $patchEntityParams);
             if (isset($params['beforeSave'])) {
                 $data = $params['beforeSave']($data);
+                if ($data === false) {
+                    throw new NotFoundException(__('Could not save {0} due to the input failing to meet expectations. Your input is bad and you should feel bad.', $this->ObjectAlias));
+                }
             }
             $savedData = $this->Table->save($data);
             if ($savedData !== false) {