From 6def1e8a5fd8419ee2e7451e94dca562ed4c413d Mon Sep 17 00:00:00 2001
From: Quentin RIBAC <quentin.ribac@xelians.fr>
Date: Mon, 28 Mar 2022 16:54:31 +0200
Subject: [PATCH] FEAT #17436 TIME 0:30 fixed
 UserController::hasRightByUserId(); applied it to UserController::update()

---
 rest/index.php                              | 2 +-
 src/app/user/controllers/UserController.php | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/rest/index.php b/rest/index.php
index 82d9b45571..f51427cc1a 100755
--- a/rest/index.php
+++ b/rest/index.php
@@ -145,7 +145,7 @@ $app->get('/users/{id}/history', \History\controllers\HistoryController::class .
 $app->post('/password', \User\controllers\UserController::class . ':forgotPassword');
 $app->put('/password', \User\controllers\UserController::class . ':updateForgottenPassword');
 $app->put('/users/{id}/accountActivationNotification', \User\controllers\UserController::class . ':sendAccountActivationNotification');
-$app->get('/manageablegroups', \User\controllers\UserController::class . ':getManageableGroupsREST');
+$app->get('/manageablegroups', \User\controllers\UserController::class . ':getManageableGroupsOfCurrentUser');
 
 //Search
 $app->post('/search/documents', \Search\controllers\SearchController::class . ':getDocuments');
diff --git a/src/app/user/controllers/UserController.php b/src/app/user/controllers/UserController.php
index a325de26d4..4ce9ecdbe6 100755
--- a/src/app/user/controllers/UserController.php
+++ b/src/app/user/controllers/UserController.php
@@ -224,6 +224,9 @@ class UserController
         if (($GLOBALS['id'] != $args['id'] || $connection != 'default') && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
             return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
         }
+        if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
+        }
 
         $body = $request->getParsedBody();
 
@@ -831,7 +834,7 @@ class UserController
         return $response->withStatus(204);
     }
 
-    public function getManageableGroupsREST(Request $request, Response $response)
+    public function getManageableGroupsOfCurrentUser(Request $request, Response $response)
     {
         if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
             return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
@@ -934,6 +937,7 @@ class UserController
             'data'   => [$args['targetUserId']]
         ]), 'group_id');
 
-        return empty($groupsIds) || !empty(array_intersect($groupsIds, array_column(UserController::getManageableGroups(['userId' => $args['activeUserId']]), 'id')));
+        $activeUserManageableGroups = array_column(UserController::getManageableGroups(['userId' => $args['activeUserId']]), 'id');
+        return !empty($activeUserManageableGroups) && (empty($groupsIds) || !empty(array_intersect($groupsIds, $activeUserManageableGroups)));
     }
 }
-- 
GitLab