Commit 99fa5393 authored by Quentin Ribac's avatar Quentin Ribac
Browse files

FEAT #17436 TIME 1 prevent removal of user from groups one has not right on

parent 7364c61d
......@@ -288,7 +288,29 @@ class UserController
'data' => [$args['id']]
]);
UserGroupModel::setUserGroups(['userId' => $args['id'], 'groups' => $body['groups']]);
if (!empty($body['groups']) && Validator::arrayType()->each(Validator::intType())->validate($body['groups'])) {
/**
* Alice wants to edit Bob’s groups.
*
* B: $body[groups]: groups Alice wants to apply to Bob
* M: $GLOBALS[id] manageable groups: groups Alice has right on
* C: current groups: Bob’s current groups
*
* given these, Bob’s new groups are the groups Alice asked for,
* plus “Bob’s current groups except groups Alice has right on”:
*
* B union (C - M)
*/
$targetCurrentGroups = UserGroupModel::get([
'select' => ['group_id'],
'where' => ['user_id = ?'],
'data' => [$args['id']]
]);
$targetCurrentGroups = !empty($targetCurrentGroups) ? array_column($targetCurrentGroups, 'group_id') : [];
$manageableGroups = array_column(UserController::getManageableGroups(['userId' => $GLOBALS['id']]), 'id');
$appliedGroups = array_unique(array_merge($body['groups'], array_diff($targetCurrentGroups, $manageableGroups)));
UserGroupModel::setUserGroups(['userId' => $args['id'], 'groups' => $appliedGroups]);
}
HistoryController::add([
'code' => 'OK',
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment