cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] Sharing group creation on behalf of other organisation fixed 

- org admin could create sharing groups on behalf of other organisations
- can lead to misleading sharing groups being created

- as reported by Dawid Czarnecki of Zigrin Security
pull/92/head
iglocska 2022-02-19 01:21:29 +01:00
parent b41b0dd712
commit 6e67a5b239
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/Controller/SharingGroupsController.php
View File

@ -37,10 +37,17 @@ class SharingGroupsController extends AppController
public function add() public function add()
{ {
$currentUser = $this->ACL->getUser();
$this->CRUD->add([ $this->CRUD->add([
'override' => [ 'override' => [
'user_id' => $this->ACL->getUser()['id'] 'user_id' => $this->ACL->getUser()['id']
] ],
'beforeSave' => function($data) use ($currentUser) {
if (!$currentUser['role']['perm_admin']) {
$data['organisation_id'] = $currentUser['organisation_id'];
}
return $data;
}
]); ]);
$dropdownData = [ $dropdownData = [
'organisation' => $this->getAvailableOrgForSg($this->ACL->getUser()) 'organisation' => $this->getAvailableOrgForSg($this->ACL->getUser())