Commit 6a67b2ce authored by Quentin Ribac's avatar Quentin Ribac
Browse files

FEAT #17436 TIME 0:15 fixed privilege validation

parent aca841ad
......@@ -175,9 +175,9 @@ class GroupController
public function getGroupPrivilege(Request $request, Response $response, array $args)
{
if (!UserGroupModel::hasGroup(['userId' => $GLOBALS['id'], 'groupId' => $args['id']])
&& !PrivilegeController::canGivePrivilege(['userId' => $GLOBALS['id'], 'groupId' => $args['id'], 'privilegeId' => $args['privilegeId']])
) {
$hasGroup = UserGroupModel::hasGroup(['userId' => $GLOBALS['id'], 'groupId' => (int)$args['id']]);
$hasRight = PrivilegeController::hasRightByPrivilege(['userId' => $GLOBALS['id'], 'groupId' => (int)$args['id'], 'privilegeId' => $args['privilegeId'], 'readOnly' => true]);
if (!$hasGroup && !$hasRight) {
return $response->withStatus(403)->withJson(['errors' => 'Current user cannot see this privilege']);
}
......@@ -244,7 +244,7 @@ class GroupController
}
if ($body['checked']) {
if (!PrivilegeController::canGivePrivilege(['userId' => $GLOBALS['id'], 'groupId' => $aArgs['id'], 'privilegeId' => $aArgs['privilegeId'], 'parameters' => $parameters])) {
if (!PrivilegeController::hasRightByPrivilege(['userId' => $GLOBALS['id'], 'groupId' => $aArgs['id'], 'privilegeId' => $aArgs['privilegeId'], 'parameters' => $parameters])) {
return $response->withStatus(400)->withJson(['errors' => 'Privilege not allowed with these parameters']);
}
if (empty($privilege)) {
......
......@@ -80,14 +80,14 @@ class PrivilegeController
return false;
}
public static function canGivePrivilege(array $args)
public static function hasRightByPrivilege(array $args)
{
ValidatorModel::notEmpty($args, ['userId', 'groupId', 'privilegeId']);
ValidatorModel::intVal($args, ['userId', 'groupId']);
ValidatorModel::stringType($args, ['privilegeId']);
if ($args['privilegeId'] == 'manage_users') {
if (!isset($args['parameters']['authorized'])) {
if (empty($args['readOnly']) && !isset($args['parameters']['authorized'])) {
return false;
}
if (!PrivilegeController::hasPrivilege(['userId' => $args['userId'], 'privilege' => 'manage_users'])) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment