From fab9795d352418935aa68adc525e8e99c457ec97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Mon, 19 Jun 2017 12:20:47 +0200
Subject: [PATCH] Fixes #5625 Bypassing ACLs for adding users to groups/roles
through templates
---
.../attributes/class_SelectAttribute.inc | 8 +++++++
plugins/personal/roles/class_userRoles.inc | 24 +++++++++++++++----
2 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/include/simpleplugin/attributes/class_SelectAttribute.inc b/include/simpleplugin/attributes/class_SelectAttribute.inc
index 50156bd67..e288bbbe7 100644
--- a/include/simpleplugin/attributes/class_SelectAttribute.inc
+++ b/include/simpleplugin/attributes/class_SelectAttribute.inc
@@ -85,6 +85,7 @@ class SelectAttribute extends Attribute
function setDisplayChoices ($values)
{
$this->outputs = array();
+ $values = array_values($values);
$i = 0;
foreach ($this->choices as $choice) {
$this->outputs[$choice] = $values[$i++];
@@ -98,6 +99,13 @@ class SelectAttribute extends Attribute
return $this->choices;
}
+ /*! \brief Get the displayed choices (keys are choices)
+ */
+ function getDisplayChoices ()
+ {
+ return $this->outputs;
+ }
+
function setRequired ($bool)
{
parent::setRequired($bool);
diff --git a/plugins/personal/roles/class_userRoles.inc b/plugins/personal/roles/class_userRoles.inc
index 92cf1c499..18d90b466 100644
--- a/plugins/personal/roles/class_userRoles.inc
+++ b/plugins/personal/roles/class_userRoles.inc
@@ -24,6 +24,8 @@ class userRoles extends simplePlugin
protected $savedGroupsMembership = array();
protected $savedRolesMembership = array();
+ protected $templateGroups = array();
+ protected $templateRoles = array();
static function plInfo()
{
@@ -245,7 +247,7 @@ class userRoles extends simplePlugin
foreach ($groupsMembership as $ogroupdn) {
if (!in_array($ogroupdn, $this->savedGroupsMembership)) {
$g = objects::open($ogroupdn, 'ogroup');
- if (!$g->getBaseObject()->attrIsWriteable('member')) {
+ if (!in_array($ogroupdn, $this->templateGroups) && !$g->getBaseObject()->attrIsWriteable('member')) {
$errors[] = msgPool::permModify($ogroupdn, 'member');
continue;
}
@@ -282,7 +284,7 @@ class userRoles extends simplePlugin
foreach ($rolesMembership as $roledn) {
if (!in_array($roledn, $this->savedRolesMembership)) {
$r = objects::open($roledn, 'role');
- if (!$r->getBaseObject()->attrIsWriteable('roleOccupant')) {
+ if (!in_array($roledn, $this->templateRoles) && !$r->getBaseObject()->attrIsWriteable('roleOccupant')) {
$errors[] = msgPool::permModify($roledn, 'roleOccupant');
continue;
}
@@ -325,13 +327,27 @@ class userRoles extends simplePlugin
$this->savedGroupsMembership = $this->groupsMembership;
if (isset($this->attrs['userGroups'])) {
unset($this->attrs['userGroups']['count']);
- $this->groupsMembership = $this->attrs['userGroups'];
+ $myGroups = array_combine($this->attrs['userGroups'], $this->attrs['userGroups']);
+ $groups = $this->attributesAccess['groupsMembership']->attribute->getDisplayChoices();
+ $groups = array_merge($myGroups, $groups);
+ $this->attributesAccess['groupsMembership']->attribute->setChoices(array_keys($groups), array_values($groups));
+ $this->attributesAccess['groupsMembership']->setValue(array_keys($myGroups));
+ $this->templateGroups = array_keys($myGroups);
+ } else {
+ $this->templateGroups = array();
}
$this->savedRolesMembership = $this->rolesMembership;
if (isset($this->attrs['userRoles'])) {
unset($this->attrs['userRoles']['count']);
- $this->rolesMembership = $this->attrs['userRoles'];
+ $myRoles = array_combine($this->attrs['userRoles'], $this->attrs['userRoles']);
+ $roles = $this->attributesAccess['rolesMembership']->attribute->getDisplayChoices();
+ $roles = array_merge($myRoles, $roles);
+ $this->attributesAccess['rolesMembership']->attribute->setChoices(array_keys($roles), array_values($roles));
+ $this->attributesAccess['rolesMembership']->setValue(array_keys($myRoles));
+ $this->templateRoles = array_keys($myRoles);
+ } else {
+ $this->templateRoles = array();
}
$this->is_account = ((count($this->rolesMembership) > 0) || (count($this->groupsMembership) > 0));
--
GitLab