Commit aca841ad authored by Quentin Ribac's avatar Quentin Ribac
Browse files

FEAT #17436 TIME 0:30 fixed getManageableGroups() when empty return; fixed...

FEAT #17436 TIME 0:30 fixed getManageableGroups() when empty return; fixed permissions on getGroupPrivilege()
parent df37c333
......@@ -175,8 +175,10 @@ class GroupController
public function getGroupPrivilege(Request $request, Response $response, array $args)
{
if (!UserGroupModel::hasGroup(['userId' => $GLOBALS['id'], 'groupId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Current user out of target group']);
if (!UserGroupModel::hasGroup(['userId' => $GLOBALS['id'], 'groupId' => $args['id']])
&& !PrivilegeController::canGivePrivilege(['userId' => $GLOBALS['id'], 'groupId' => $args['id'], 'privilegeId' => $args['privilegeId']])
) {
return $response->withStatus(403)->withJson(['errors' => 'Current user cannot see this privilege']);
}
$privilege = GroupPrivilegeModel::getPrivileges([
......
......@@ -833,13 +833,21 @@ class UserController
$manageableGroups = [];
foreach ($groups as $group) {
$privilege = GroupPrivilegeModel::getPrivileges(['select' => ['parameters'], 'where' => ['group_id = ?', 'privilege = ?'], 'data' => [$group['group_id'], 'manage_users']]);
$privilege = GroupPrivilegeModel::getPrivileges([
'select' => ['parameters'],
'where' => ['group_id = ?', 'privilege = ?'],
'data' => [$group['group_id'], 'manage_users']
]);
$parameters = empty($privilege[0]['parameters']) ? [] : json_decode($privilege[0]['parameters'], true);
$currentGroups = $parameters['authorized'] ?? [];
$manageableGroups = array_merge($manageableGroups, $currentGroups);
}
$manageableGroups = array_unique($manageableGroups);
if (empty($manageableGroups)) {
return [];
}
$manageableGroups = GroupModel::get([
'where' => ['id in (?)'],
'data' => [$manageableGroups]
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment