From b0ebe774b6911dad08a0b3ff63092cf99e6daba9 Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 13 Sep 2023 07:18:29 +0200 Subject: [PATCH] fix: [ACL] group admins can view users in their group --- src/Controller/UsersController.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index 5c07369..dd2bf9b 100644 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -20,7 +20,11 @@ class UsersController extends AppController $currentUser = $this->ACL->getUser(); $conditions = []; if (empty($currentUser['role']['perm_admin'])) { - $conditions['organisation_id'] = $currentUser['organisation_id']; + $conditions['organisation_id IN'] = [$currentUser['organisation_id']]; + if (!empty($currentUser['role']['perm_group_admin'])) { + $this->loadModel('OrgGroups'); + $conditions['organisation_id IN'] = array_merge($conditions['organisation_id IN'], $this->OrgGroups->getGroupOrgIdsForUser($currentUser)); + } } $keycloakUsersParsed = null; if (!empty(Configure::read('keycloak.enabled'))) { @@ -184,7 +188,11 @@ class UsersController extends AppController $this->CRUD->view($id, [ 'contain' => ['Individuals' => ['Alignments' => 'Organisations'], 'Roles', 'Organisations', 'OrgGroups'], 'afterFind' => function($data) use ($keycloakUsersParsed, $currentUser) { - if (empty($currentUser['role']['perm_admin']) && $currentUser['organisation_id'] != $data['organisation_id']) { + if ( + empty($currentUser['role']['perm_admin']) && + ($currentUser['organisation_id'] != $data['organisation_id']) && + (empty($currentUser['role']['perm_group_admin']) || !$this->ACL->canEditUser($currentUser, $data)) + ) { throw new NotFoundException(__('Invalid User.')); } $data = $this->fetchTable('PermissionLimitations')->attachLimitations($data);