fix: [security] Sharing group creation on behalf of other organisation fixed

- org admin could create sharing groups on behalf of other organisations
- can lead to misleading sharing groups being created

- as reported by Dawid Czarnecki of Zigrin Security

src/Controller/SharingGroupsController.php

@@ -37,10 +37,17 @@ class SharingGroupsController extends AppController
 
     public function add()
     {
+        $currentUser = $this->ACL->getUser();
         $this->CRUD->add([
             'override' => [
                 'user_id' => $this->ACL->getUser()['id']
-            ]
+            ],
+            'beforeSave' => function($data) use ($currentUser) {
+                if (!$currentUser['role']['perm_admin']) {
+                    $data['organisation_id'] = $currentUser['organisation_id'];
+                }
+                return $data;
+            }
         ]);
         $dropdownData = [
             'organisation' => $this->getAvailableOrgForSg($this->ACL->getUser())