tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed problem that users with UM in specific groups can assign/delete profiles in other groups.

This commit is contained in:
Junichi Satoh 2020-12-25 17:38:03 +09:00
parent 57c1433764
commit 1c8b70d1eb
2 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
pandora_console/godmode/massive/massive_add_profiles.php
View File

@ -109,6 +109,9 @@ $table->size[2] = '33%';
$data = []; $data = [];
$data[0] = '<form method="post" id="form_profiles" action="index.php?sec=gmassive&sec2=godmode/massive/massive_operations&tab=massive_users&option=add_profiles">'; $data[0] = '<form method="post" id="form_profiles" action="index.php?sec=gmassive&sec2=godmode/massive/massive_operations&tab=massive_users&option=add_profiles">';
$group_um = users_get_groups_UM($config['id_user']);
$display_all_group = true; $display_all_group = true;
if (check_acl($config['id_user'], 0, 'PM')) { if (check_acl($config['id_user'], 0, 'PM')) {
$data[0] .= html_print_select( $data[0] .= html_print_select(
@ -126,13 +129,14 @@ if (check_acl($config['id_user'], 0, 'PM')) {
'width: 100%' 'width: 100%'
); );
} else { } else {
$display_all_group = false; if (!isset($group_um[0])) {
$display_all_group = false;
}
$data[0] .= html_print_select( $data[0] .= html_print_select(
profile_get_profiles( profile_get_profiles(
[ [
'pandora_management' => '<> 1', 'pandora_management' => '<> 1',
'db_management' => '<> 1', 'db_management' => '<> 1',
'user_management' => '<> 1',
] ]
), ),
'profiles_id[]', 'profiles_id[]',
@ -175,18 +179,27 @@ $users_order = [
]; ];
$info_users = []; $info_users = [];
// Is admin or has group permissions all. // Is admin.
if (check_acl($config['id_user'], 0, 'PM') || isset($group_um[0])) { if (users_is_admin()) {
$info_users = users_get_info($users_order, 'id_user'); $info_users = users_get_info($users_order, 'id_user');
// has PM permission.
} elseif (check_acl($config['id_user'], 0, 'PM')) {
$info_users = users_get_info($users_order, 'id_user');
foreach ($info_users as $id_user => $value) {
if (users_is_admin($id_user)) {
unset($info_users[$value]);
}
}
} else { } else {
$info = []; $info = [];
$group_um = users_get_groups_UM($config['id_user']);
foreach ($group_um as $group => $value) { foreach ($group_um as $group => $value) {
$info = array_merge($info, users_get_users_by_group($group, $value)); $info = array_merge($info, users_get_users_by_group($group, $value));
} }
foreach ($info as $key => $value) { foreach ($info as $key => $value) {
$info_users[$key] = $value['id_user']; if (!$value['is_admin']) {
$info_users[$key] = $value['id_user'];
}
} }
} }

13
pandora_console/godmode/massive/massive_delete_profiles.php
View File

@ -35,6 +35,13 @@ if (is_ajax()) {
$id_profile = get_parameter('id_profile'); $id_profile = get_parameter('id_profile');
$profile_data = db_get_all_rows_filter('tusuario_perfil', ['id_perfil' => $id_profile[0], 'id_grupo' => $id_group[0]]); $profile_data = db_get_all_rows_filter('tusuario_perfil', ['id_perfil' => $id_profile[0], 'id_grupo' => $id_group[0]]);
if (!users_is_admin()) {
foreach ($profile_data as $user => $values) {
if (users_is_admin($values['id_usuario'])) {
unset($profile_data[$user]);
}
}
}
echo json_encode(index_array($profile_data, 'id_up', 'id_usuario')); echo json_encode(index_array($profile_data, 'id_up', 'id_usuario'));
return; return;
@ -122,13 +129,15 @@ if (check_acl($config['id_user'], 0, 'PM')) {
'width: 100%' 'width: 100%'
); );
} else { } else {
$display_all_group = false; $group_um = users_get_groups_UM($config['id_user']);
if (!isset($group_um[0])) {
$display_all_group = false;
}
$data[0] .= html_print_select( $data[0] .= html_print_select(
profile_get_profiles( profile_get_profiles(
[ [
'pandora_management' => '<> 1', 'pandora_management' => '<> 1',
'db_management' => '<> 1', 'db_management' => '<> 1',
'user_management' => '<> 1',
] ]
), ),
'profiles_id[]', 'profiles_id[]',