fix: [ACL] group admins can view users in their group

refacto/CRUDComponent
iglocska 2023-09-13 07:18:29 +02:00
parent e03a037511
commit b0ebe774b6
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 10 additions and 2 deletions

View File

@ -20,7 +20,11 @@ class UsersController extends AppController
$currentUser = $this->ACL->getUser();
$conditions = [];
if (empty($currentUser['role']['perm_admin'])) {
$conditions['organisation_id'] = $currentUser['organisation_id'];
$conditions['organisation_id IN'] = [$currentUser['organisation_id']];
if (!empty($currentUser['role']['perm_group_admin'])) {
$this->loadModel('OrgGroups');
$conditions['organisation_id IN'] = array_merge($conditions['organisation_id IN'], $this->OrgGroups->getGroupOrgIdsForUser($currentUser));
}
}
$keycloakUsersParsed = null;
if (!empty(Configure::read('keycloak.enabled'))) {
@ -184,7 +188,11 @@ class UsersController extends AppController
$this->CRUD->view($id, [
'contain' => ['Individuals' => ['Alignments' => 'Organisations'], 'Roles', 'Organisations', 'OrgGroups'],
'afterFind' => function($data) use ($keycloakUsersParsed, $currentUser) {
if (empty($currentUser['role']['perm_admin']) && $currentUser['organisation_id'] != $data['organisation_id']) {
if (
empty($currentUser['role']['perm_admin']) &&
($currentUser['organisation_id'] != $data['organisation_id']) &&
(empty($currentUser['role']['perm_group_admin']) || !$this->ACL->canEditUser($currentUser, $data))
) {
throw new NotFoundException(__('Invalid User.'));
}
$data = $this->fetchTable('PermissionLimitations')->attachLimitations($data);