cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

security: [authkey:add] Restrict creation of API keys for users in the same org and for other org_admins

refacto/CRUDComponent
Sami Mokaddem 2023-02-23 14:57:42 +01:00
parent f18cde8b0f
commit 7ccf925247
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Controller/AuthKeysController.php
View File

@ -71,8 +71,12 @@ class AuthKeysController extends AppController
if (empty($currentUser['role']['perm_org_admin'])) {
$userConditions['id'] = $currentUser['id'];
} else {
$role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0])->all()->extract('id')->toList();
$userConditions['role_id IN'] = $role_ids;
$role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0, 'perm_org_admin' => 0])->all()->extract('id')->toList();
$userConditions['organisation_id'] = $currentUser['organisation_id'];
$userConditions['OR'] = [
['role_id IN' => $role_ids],
['id' => $currentUser['id']],
];
}
}
$users = $this->Users->find('list');