Commit 6def1e8a authored by Quentin Ribac's avatar Quentin Ribac
Browse files

FEAT #17436 TIME 0:30 fixed UserController::hasRightByUserId(); applied it to...

FEAT #17436 TIME 0:30 fixed UserController::hasRightByUserId(); applied it to UserController::update()
parent 05a0a56b
......@@ -145,7 +145,7 @@ $app->get('/users/{id}/history', \History\controllers\HistoryController::class .
$app->post('/password', \User\controllers\UserController::class . ':forgotPassword');
$app->put('/password', \User\controllers\UserController::class . ':updateForgottenPassword');
$app->put('/users/{id}/accountActivationNotification', \User\controllers\UserController::class . ':sendAccountActivationNotification');
$app->get('/manageablegroups', \User\controllers\UserController::class . ':getManageableGroupsREST');
$app->get('/manageablegroups', \User\controllers\UserController::class . ':getManageableGroupsOfCurrentUser');
//Search
$app->post('/search/documents', \Search\controllers\SearchController::class . ':getDocuments');
......
......@@ -224,6 +224,9 @@ class UserController
if (($GLOBALS['id'] != $args['id'] || $connection != 'default') && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
$body = $request->getParsedBody();
......@@ -831,7 +834,7 @@ class UserController
return $response->withStatus(204);
}
public function getManageableGroupsREST(Request $request, Response $response)
public function getManageableGroupsOfCurrentUser(Request $request, Response $response)
{
if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
......@@ -934,6 +937,7 @@ class UserController
'data' => [$args['targetUserId']]
]), 'group_id');
return empty($groupsIds) || !empty(array_intersect($groupsIds, array_column(UserController::getManageableGroups(['userId' => $args['activeUserId']]), 'id')));
$activeUserManageableGroups = array_column(UserController::getManageableGroups(['userId' => $args['activeUserId']]), 'id');
return !empty($activeUserManageableGroups) && (empty($groupsIds) || !empty(array_intersect($groupsIds, $activeUserManageableGroups)));
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment