FIX #25530 02:45 Fix condition in UserController/getById() when usersGroups is...

FIX #25530 02:45 Fix condition in UserController/getById() when usersGroups is empty and in SignatureController/updateSubstituted() when checking global id and arg id

FIX #25530 02:45 Fix condition in UserController/getById() when usersGroups is...
3d30ebdb · Joseph AKEL · Jean-Laurent DUZANT · 56603577 · 3d30ebdb · 3d30ebdb
Commit 3d30ebdb authored 1 year ago by Joseph AKEL Committed by Jean-Laurent DUZANT 1 year ago
--- a/src/app/user/controllers/SignatureController.php
+++ b/src/app/user/controllers/SignatureController.php
@@ -223,6 +223,10 @@ class SignatureController
            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
        }

+        if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']]) && $GLOBALS['id'] !== intval($args['id'])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
+        }
+
        $user = UserModel::getById(['select' => [1], 'id' => $args['id']]);
        if (empty($user)) {
            return $response->withStatus(400)->withJson(['errors' => 'User does not exist']);

--- a/src/app/user/controllers/UserController.php
+++ b/src/app/user/controllers/UserController.php
@@ -118,8 +118,10 @@ class UserController
            if ($GLOBALS['id'] != $args['id']) {
                $groupsIds = array_values(array_intersect($groupsIds, array_column(UserController::getManageableGroups(['userId' => $GLOBALS['id']]), 'id')));
            }
-            $groups = GroupModel::get(['select' => ['label', 'id'], 'where' => ['id in (?)'], 'data' => [$groupsIds]]);
-            $user['groups'] = $groups;
+            if(!empty($groupsIds)){
+                $groups = GroupModel::get(['select' => ['label', 'id'], 'where' => ['id in (?)'], 'data' => [$groupsIds]]);
+                $user['groups'] = $groups;
+            }
        } else {
            $user = UserModel::getById(['select' => ['id', 'firstname', 'lastname', 'email', 'phone', 'substitute'], 'id' => $args['id']]);
        }
@@ -224,7 +226,7 @@ class UserController
        if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
            return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
        }
-        
+
        $connection = ConfigurationModel::getConnection();
        if (($GLOBALS['id'] != $args['id'] || $connection != 'default') && !UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
@@ -255,7 +257,7 @@ class UserController
            'firstname'       => $body['firstname'],
            'lastname'        => $body['lastname'],
            'email'           => $body['email'],
-            'phone'           => $body['phone'] ?? null,  
+            'phone'           => $body['phone'] ?? null,
            'signature_modes' => []
        ];