From caf48c9060ba27e13533e8d702a989bb72285a8e Mon Sep 17 00:00:00 2001 From: iglocska Date: Mon, 17 Jan 2022 09:19:53 +0100 Subject: [PATCH 1/2] fix: [ACL] proper error messages on user edit - don't just silently redirect to the own user editing if the user isn't authorised to modify another user --- src/Controller/UsersController.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index 36a69cf..3e389de 100644 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -97,8 +97,16 @@ class UsersController extends AppController public function edit($id = false) { $currentUser = $this->ACL->getUser(); - if (empty($id) || (empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_admin']))) { + if (empty($id)) { $id = $currentUser['id']; + } else { + if ((empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_admin']))) { + if ($id !== $currentUser['id']) { + throw new MethodNotAllowedException(__('You are not authorised to edit that user.')); + } else { + $id = $currentUser['id']; + } + } } $params = [ From 95cb4536e1cb371d566b16afc2d06f0dc8723932 Mon Sep 17 00:00:00 2001 From: iglocska Date: Mon, 17 Jan 2022 09:22:06 +0100 Subject: [PATCH 2/2] fix: [tagging] error when trying to add a tag that doesn't exist yet - add default colour to circumvent the error --- plugins/Tags/src/Model/Behavior/TagBehavior.php | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/plugins/Tags/src/Model/Behavior/TagBehavior.php b/plugins/Tags/src/Model/Behavior/TagBehavior.php index b27ded9..5772d82 100644 --- a/plugins/Tags/src/Model/Behavior/TagBehavior.php +++ b/plugins/Tags/src/Model/Behavior/TagBehavior.php @@ -46,10 +46,10 @@ class TagBehavior extends Behavior $config = $this->getConfig(); $tagsAssoc = $config['tagsAssoc']; $taggedAssoc = $config['taggedAssoc']; - + $table = $this->_table; $tableAlias = $this->_table->getAlias(); - + $assocConditions = ['Tagged.fk_model' => $tableAlias]; if (!$table->hasAssociation('Tagged')) { @@ -114,7 +114,6 @@ class TagBehavior extends Behavior $property = $this->getConfig('tagsAssoc.propertyName'); $options['accessibleFields'][$property] = true; $options['associated']['Tags']['accessibleFields']['id'] = true; - if (isset($data['tags'])) { if (!empty($data['tags'])) { $data[$property] = $this->normalizeTags($data['tags']); @@ -131,7 +130,6 @@ class TagBehavior extends Behavior if (!$tag->isNew()) { continue; } - $existingTag = $this->getExistingTag($tag->name); if (!$existingTag) { continue; @@ -176,15 +174,14 @@ class TagBehavior extends Behavior $result[] = array_merge($common, ['id' => $existingTag->id]); continue; } - $result[] = array_merge( $common, [ 'name' => $tagIdentifier, + 'colour' => '#924da6' ] ); } - return $result; } @@ -312,7 +309,7 @@ class TagBehavior extends Behavior $key = 'Tags.' . $finderField; $taggedAlias = 'Tagged'; $foreignKey = $this->getConfig('tagsAssoc.foreignKey'); - + if (!empty($filterValue['AND'])) { $subQuery = $this->buildQuerySnippet($filterValue['AND'], $finderField, $OperatorAND); $modelAlias = $this->_table->getAlias(); @@ -352,4 +349,4 @@ class TagBehavior extends Behavior return $query; } -} \ No newline at end of file +}