Fixed problem that users with UM in specific groups can assign/delete profiles in other groups.

This commit is contained in:
Junichi Satoh 2020-12-25 17:38:03 +09:00
parent 57c1433764
commit 1c8b70d1eb
2 changed files with 30 additions and 8 deletions

View File

@ -109,6 +109,9 @@ $table->size[2] = '33%';
$data = [];
$data[0] = '<form method="post" id="form_profiles" action="index.php?sec=gmassive&sec2=godmode/massive/massive_operations&tab=massive_users&option=add_profiles">';
$group_um = users_get_groups_UM($config['id_user']);
$display_all_group = true;
if (check_acl($config['id_user'], 0, 'PM')) {
$data[0] .= html_print_select(
@ -126,13 +129,14 @@ if (check_acl($config['id_user'], 0, 'PM')) {
'width: 100%'
);
} else {
if (!isset($group_um[0])) {
$display_all_group = false;
}
$data[0] .= html_print_select(
profile_get_profiles(
[
'pandora_management' => '<> 1',
'db_management' => '<> 1',
'user_management' => '<> 1',
]
),
'profiles_id[]',
@ -175,19 +179,28 @@ $users_order = [
];
$info_users = [];
// Is admin or has group permissions all.
if (check_acl($config['id_user'], 0, 'PM') || isset($group_um[0])) {
// Is admin.
if (users_is_admin()) {
$info_users = users_get_info($users_order, 'id_user');
// has PM permission.
} elseif (check_acl($config['id_user'], 0, 'PM')) {
$info_users = users_get_info($users_order, 'id_user');
foreach ($info_users as $id_user => $value) {
if (users_is_admin($id_user)) {
unset($info_users[$value]);
}
}
} else {
$info = [];
$group_um = users_get_groups_UM($config['id_user']);
foreach ($group_um as $group => $value) {
$info = array_merge($info, users_get_users_by_group($group, $value));
}
foreach ($info as $key => $value) {
if (!$value['is_admin']) {
$info_users[$key] = $value['id_user'];
}
}
}
$data[2] .= html_print_select(

View File

@ -35,6 +35,13 @@ if (is_ajax()) {
$id_profile = get_parameter('id_profile');
$profile_data = db_get_all_rows_filter('tusuario_perfil', ['id_perfil' => $id_profile[0], 'id_grupo' => $id_group[0]]);
if (!users_is_admin()) {
foreach ($profile_data as $user => $values) {
if (users_is_admin($values['id_usuario'])) {
unset($profile_data[$user]);
}
}
}
echo json_encode(index_array($profile_data, 'id_up', 'id_usuario'));
return;
@ -122,13 +129,15 @@ if (check_acl($config['id_user'], 0, 'PM')) {
'width: 100%'
);
} else {
$group_um = users_get_groups_UM($config['id_user']);
if (!isset($group_um[0])) {
$display_all_group = false;
}
$data[0] .= html_print_select(
profile_get_profiles(
[
'pandora_management' => '<> 1',
'db_management' => '<> 1',
'user_management' => '<> 1',
]
),
'profiles_id[]',