Fixed problem that users with UM in specific groups can assign/delete profiles in other groups.

2020-12-25 17:38:03 +09:00 · 2020-12-25 17:38:03 +09:00 · 1c8b70d1eb
parent 57c1433764
commit 1c8b70d1eb
2 changed files with 30 additions and 8 deletions
--- a/pandora_console/godmode/massive/massive_add_profiles.php
+++ b/pandora_console/godmode/massive/massive_add_profiles.php
@ -109,6 +109,9 @@ $table->size[2] = '33%';

 $data = [];
 $data[0] = '<form method="post" id="form_profiles" action="index.php?sec=gmassive&sec2=godmode/massive/massive_operations&tab=massive_users&option=add_profiles">';
+
+$group_um = users_get_groups_UM($config['id_user']);
+
 $display_all_group = true;
 if (check_acl($config['id_user'], 0, 'PM')) {
    $data[0] .= html_print_select(
@ -126,13 +129,14 @@ if (check_acl($config['id_user'], 0, 'PM')) {
        'width: 100%'
    );
 } else {
+    if (!isset($group_um[0])) {
        $display_all_group = false;
+    }
    $data[0] .= html_print_select(
        profile_get_profiles(
            [
                'pandora_management' => '<> 1',
                'db_management'      => '<> 1',
-                'user_management'    => '<> 1',
            ]
        ),
        'profiles_id[]',
@ -175,20 +179,29 @@ $users_order = [
 ];

 $info_users = [];
-// Is admin or has group permissions all.
-if (check_acl($config['id_user'], 0, 'PM') || isset($group_um[0])) {
+// Is admin.
+if (users_is_admin()) {
    $info_users = users_get_info($users_order, 'id_user');
+// has PM permission.
+} elseif (check_acl($config['id_user'], 0, 'PM')) {
+    $info_users = users_get_info($users_order, 'id_user');
+    foreach ($info_users as $id_user => $value) {
+        if (users_is_admin($id_user)) {
+            unset($info_users[$value]);
+        }
+    }
 } else {
    $info = [];
-    $group_um = users_get_groups_UM($config['id_user']);
    foreach ($group_um as $group => $value) {
        $info = array_merge($info, users_get_users_by_group($group, $value));
    }

    foreach ($info as $key => $value) {
+	if (!$value['is_admin']) {
            $info_users[$key] = $value['id_user'];
        }
    }
+}

 $data[2] .= html_print_select(
    $info_users,
--- a/pandora_console/godmode/massive/massive_delete_profiles.php
+++ b/pandora_console/godmode/massive/massive_delete_profiles.php
@ -35,6 +35,13 @@ if (is_ajax()) {
        $id_profile = get_parameter('id_profile');

        $profile_data = db_get_all_rows_filter('tusuario_perfil', ['id_perfil' => $id_profile[0], 'id_grupo' => $id_group[0]]);
+        if (!users_is_admin()) {
+            foreach ($profile_data as $user => $values) {
+                if (users_is_admin($values['id_usuario'])) {
+                    unset($profile_data[$user]);
+                }
+            }
+        }

        echo json_encode(index_array($profile_data, 'id_up', 'id_usuario'));
        return;
@ -122,13 +129,15 @@ if (check_acl($config['id_user'], 0, 'PM')) {
        'width: 100%'
    );
 } else {
+    $group_um = users_get_groups_UM($config['id_user']);
+    if (!isset($group_um[0])) {
        $display_all_group = false;
+    }
    $data[0] .= html_print_select(
        profile_get_profiles(
            [
                'pandora_management' => '<> 1',
                'db_management'      => '<> 1',
-                'user_management'    => '<> 1',
            ]
        ),
        'profiles_id[]',