FEAT #17436 TIME 0:13 unlink a user from a group with correct privileges

8f93087a · Quentin Ribac · f1a23203 · 8f93087a
Commit 8f93087a authored 3 years ago by Quentin Ribac
--- a/src/app/group/controllers/GroupController.php
+++ b/src/app/group/controllers/GroupController.php
@@ -20,6 +20,7 @@ use History\controllers\HistoryController;
 use Respect\Validation\Validator;
 use Slim\Http\Request;
 use Slim\Http\Response;
+use User\controllers\UserController;
 use User\models\UserGroupModel;
 use User\models\UserModel;

@@ -313,7 +314,20 @@ class GroupController

    public function removeUser(Request $request, Response $response, array $aArgs)
    {
-        if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_groups']) && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
+        $hasGroupPrivilege = PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_groups']);
+        $hasUserPrivilege = false;
+
+        $manageableGroups = UserController::getManageableGroups(['userId' => $GLOBALS['id']]);
+        $targetUserGroups = UserGroupModel::get([
+            'select' => ['group_id'],
+            'where'  => ['user_id = ?'],
+            'data'   => [$aArgs['userId']]
+        ]);
+        $targetUserGroups = array_column($targetUserGroups, 'group_id');
+        if (!empty(array_intersect($manageableGroups, $targetUserGroups))) {
+            $hasUserPrivilege = true;
+        }
+        if (!$hasGroupPrivilege && !$hasUserPrivilege) {
            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
        }