Skip to content

Commit

Permalink
fix: [security] Group admin ACL
Browse files Browse the repository at this point in the history 
- group admin can inject user into organisation not managed by themselves

- as reported by Jeroen Pinoy (@Wachizungu)
  • Loading branch information
@iglocska
iglocska committed Nov 28, 2024
1 parent da4bd94 commit 1c8bcc0
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion src/Controller/UsersController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -320,10 +320,13 @@ public function edit($id = false)
}
return $data;
};
$params['beforeSave'] = function ($data) use ($currentUser, $validRoles) {
$params['beforeSave'] = function ($data) use ($currentUser, $validRoles, $validOrgIds) {
if (!in_array($data['role_id'], array_keys($validRoles)) && $this->ACL->getUser()['id'] != $data['id']) {
throw new MethodNotAllowedException(__('You cannot assign the chosen role to a user.'));
}
if (!in_array($data['organisation_id'], $validOrgIds)) {
throw new MethodNotAllowedException(__('You cannot assign the chosen organisation to a user.'));
}
return $data;
};
}
Expand Down

0 comments on commit 1c8bcc0

Please sign in to comment.