From 6e67a5b2392f7f1af06a3c7f14d75f696831d86f Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Sat, 19 Feb 2022 01:21:29 +0100
Subject: [PATCH] fix: [security] Sharing group creation on behalf of other
 organisation fixed

- org admin could create sharing groups on behalf of other organisations
- can lead to misleading sharing groups being created

- as reported by Dawid Czarnecki of Zigrin Security
---
 src/Controller/SharingGroupsController.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/Controller/SharingGroupsController.php b/src/Controller/SharingGroupsController.php
index aa96cb4..e03aee5 100644
--- a/src/Controller/SharingGroupsController.php
+++ b/src/Controller/SharingGroupsController.php
@@ -37,10 +37,17 @@ class SharingGroupsController extends AppController
 
     public function add()
     {
+        $currentUser = $this->ACL->getUser();
         $this->CRUD->add([
             'override' => [
                 'user_id' => $this->ACL->getUser()['id']
-            ]
+            ],
+            'beforeSave' => function($data) use ($currentUser) {
+                if (!$currentUser['role']['perm_admin']) {
+                    $data['organisation_id'] = $currentUser['organisation_id'];
+                }
+                return $data;
+            }
         ]);
         $dropdownData = [
             'organisation' => $this->getAvailableOrgForSg($this->ACL->getUser())