Commit 5060f43c authored by Quentin Ribac's avatar Quentin Ribac
Browse files

FEAT #17436 TIME 1:20 taking manageable groups into account in UserController

parent 4975076e
......@@ -79,13 +79,16 @@ class UserController
$users[$key]['groups'] = [];
$groupsIds = UserGroupModel::get(['select' => ['group_id'], 'where' => ['user_id = ?'], 'data' => [$user['id']]]);
$groupsIds = array_column($groupsIds, 'group_id');
if ($GLOBALS['id'] != $user['id']) {
$actuallyAlone = false;
if (empty($groupsIds)) {
$actuallyAlone = true;
} elseif ($GLOBALS['id'] != $user['id']) {
$groupsIds = array_values(array_intersect($groupsIds, $manageableGroups));
}
if (!empty($groupsIds)) {
$groups = GroupModel::get(['select' => ['label', 'id'], 'where' => ['id in (?)'], 'data' => [$groupsIds]]);
$users[$key]['groups'] = $groups;
} else {
} elseif (!$actuallyAlone) {
unset($users[$key]);
}
}
......@@ -113,13 +116,18 @@ class UserController
$userGroups = UserGroupModel::get(['select' => ['group_id'], 'where' => ['user_id = ?'], 'data' => [$args['id']]]);
$groupsIds = array_column($userGroups, 'group_id');
if ($GLOBALS['id'] != $args['id']) {
$actuallyAlone = false;
if (empty($groupsIds)) {
$actuallyAlone = true;
} elseif ($GLOBALS['id'] != $args['id']) {
$groupsIds = array_values(array_intersect($groupsIds, array_column(UserController::getManageableGroups(['userId' => $GLOBALS['id']]), 'id')));
}
if (!empty($groupsIds)) {
$groups = GroupModel::get(['select' => ['label', 'id'], 'where' => ['id in (?)'], 'data' => [$groupsIds]]);
$user['groups'] = $groups;
} elseif (!$actuallyAlone) {
return $response->withStatus(403)->withJson(['errors' => 'User out of perimeter']);
}
HistoryController::add([
......@@ -158,6 +166,8 @@ class UserController
}
$body['groups'] = !empty($body['groups']) ? array_column($body['groups'], 'id') : [];
$manageableGroups = array_column(UserController::getManageableGroups(['userId' => $GLOBALS['id']]), 'id');
$body['groups'] = array_values(array_intersect($body['groups'], $manageableGroups));
$body['login'] = strtolower($body['login']);
$existingUser = UserModel::getByLogin(['login' => $body['login'], 'select' => [1]]);
......@@ -390,6 +400,9 @@ class UserController
if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users']) || $GLOBALS['id'] == $args['id']) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
......@@ -495,6 +508,9 @@ class UserController
if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users']) && $GLOBALS['id'] != $args['id']) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
$user = UserModel::getById(['select' => ['substitute'], 'id' => $args['id']]);
if (empty($user)) {
......@@ -642,6 +658,9 @@ class UserController
if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
}
$body = $request->getParsedBody();
......@@ -792,10 +811,14 @@ class UserController
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
if (empty($args['id']) || !Validator::intVal()->validate($args['id'])) {
return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
$connection = ConfigurationModel::getConnection();
if ($connection != 'default') {
return $response->withStatus(403)->withJson(['errors' => 'Cannot send activation notification when not using default connection']);
......@@ -899,4 +922,18 @@ class UserController
return $manageableGroups;
}
public static function hasRightByUserId(array $args)
{
ValidatorModel::notEmpty($args, ['activeUserId', 'targetUserId']);
ValidatorModel::intVal($args, ['activeUserId', 'targetUserId']);
$groupsIds = array_column(UserGroupModel::get([
'select' => ['group_id'],
'where' => ['user_id = ?'],
'data' => [$args['targetUserId']]
]), 'group_id');
return empty($groupsIds) || !empty(array_intersect($groupsIds, array_column(UserController::getManageableGroups(['userId' => $args['activeUserId']]), 'id')));
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment