Commit 52df0703 authored by Quentin Ribac's avatar Quentin Ribac
Browse files

FEAT #17436 TIME 0:15 check privileges in HistoryController and SignatureController

parent 5060f43c
......@@ -38,6 +38,7 @@ use SrcCore\models\PasswordModel;
use SrcCore\models\TextFormatModel;
use SrcCore\models\ValidatorModel;
use User\models\UserModel;
use User\controllers\UserController;
use Workflow\controllers\YousignController;
use Workflow\models\WorkflowExternalInformationModel;
use Workflow\models\WorkflowModel;
......@@ -674,6 +675,9 @@ class HistoryController
if ($GLOBALS['id'] != $args['id'] && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
......
......@@ -25,6 +25,7 @@ use SrcCore\models\CoreConfigModel;
use SrcCore\models\ValidatorModel;
use User\models\SignatureModel;
use User\models\UserModel;
use User\controllers\UserController;
class SignatureController
{
......@@ -77,6 +78,9 @@ class SignatureController
if ($GLOBALS['id'] != $args['id'] && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
$body = $request->getParsedBody();
......@@ -132,6 +136,9 @@ class SignatureController
if ($GLOBALS['id'] != $args['id'] && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
SignatureModel::delete(['where' => ['user_id = ?', 'id = ?'], 'data' => [$args['id'], $args['signatureId']]]);
......@@ -152,6 +159,9 @@ class SignatureController
if ($GLOBALS['id'] != $args['id'] && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
$user = UserModel::getById(['select' => [1], 'id' => $args['id']]);
if (empty($user)) {
......@@ -212,6 +222,9 @@ class SignatureController
if ($GLOBALS['id'] != $args['id'] && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
$user = UserModel::getById(['select' => [1], 'id' => $args['id']]);
if (empty($user)) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment