Commit fab9795d authored by Côme Chilliet's avatar Côme Chilliet
Browse files

Fixes #5625 Bypassing ACLs for adding users to groups/roles through templates

parent 21b84e87
...@@ -85,6 +85,7 @@ class SelectAttribute extends Attribute ...@@ -85,6 +85,7 @@ class SelectAttribute extends Attribute
function setDisplayChoices ($values) function setDisplayChoices ($values)
{ {
$this->outputs = array(); $this->outputs = array();
$values = array_values($values);
$i = 0; $i = 0;
foreach ($this->choices as $choice) { foreach ($this->choices as $choice) {
$this->outputs[$choice] = $values[$i++]; $this->outputs[$choice] = $values[$i++];
...@@ -98,6 +99,13 @@ class SelectAttribute extends Attribute ...@@ -98,6 +99,13 @@ class SelectAttribute extends Attribute
return $this->choices; return $this->choices;
} }
/*! \brief Get the displayed choices (keys are choices)
*/
function getDisplayChoices ()
{
return $this->outputs;
}
function setRequired ($bool) function setRequired ($bool)
{ {
parent::setRequired($bool); parent::setRequired($bool);
......
...@@ -24,6 +24,8 @@ class userRoles extends simplePlugin ...@@ -24,6 +24,8 @@ class userRoles extends simplePlugin
protected $savedGroupsMembership = array(); protected $savedGroupsMembership = array();
protected $savedRolesMembership = array(); protected $savedRolesMembership = array();
protected $templateGroups = array();
protected $templateRoles = array();
static function plInfo() static function plInfo()
{ {
...@@ -245,7 +247,7 @@ class userRoles extends simplePlugin ...@@ -245,7 +247,7 @@ class userRoles extends simplePlugin
foreach ($groupsMembership as $ogroupdn) { foreach ($groupsMembership as $ogroupdn) {
if (!in_array($ogroupdn, $this->savedGroupsMembership)) { if (!in_array($ogroupdn, $this->savedGroupsMembership)) {
$g = objects::open($ogroupdn, 'ogroup'); $g = objects::open($ogroupdn, 'ogroup');
if (!$g->getBaseObject()->attrIsWriteable('member')) { if (!in_array($ogroupdn, $this->templateGroups) && !$g->getBaseObject()->attrIsWriteable('member')) {
$errors[] = msgPool::permModify($ogroupdn, 'member'); $errors[] = msgPool::permModify($ogroupdn, 'member');
continue; continue;
} }
...@@ -282,7 +284,7 @@ class userRoles extends simplePlugin ...@@ -282,7 +284,7 @@ class userRoles extends simplePlugin
foreach ($rolesMembership as $roledn) { foreach ($rolesMembership as $roledn) {
if (!in_array($roledn, $this->savedRolesMembership)) { if (!in_array($roledn, $this->savedRolesMembership)) {
$r = objects::open($roledn, 'role'); $r = objects::open($roledn, 'role');
if (!$r->getBaseObject()->attrIsWriteable('roleOccupant')) { if (!in_array($roledn, $this->templateRoles) && !$r->getBaseObject()->attrIsWriteable('roleOccupant')) {
$errors[] = msgPool::permModify($roledn, 'roleOccupant'); $errors[] = msgPool::permModify($roledn, 'roleOccupant');
continue; continue;
} }
...@@ -325,13 +327,27 @@ class userRoles extends simplePlugin ...@@ -325,13 +327,27 @@ class userRoles extends simplePlugin
$this->savedGroupsMembership = $this->groupsMembership; $this->savedGroupsMembership = $this->groupsMembership;
if (isset($this->attrs['userGroups'])) { if (isset($this->attrs['userGroups'])) {
unset($this->attrs['userGroups']['count']); unset($this->attrs['userGroups']['count']);
$this->groupsMembership = $this->attrs['userGroups']; $myGroups = array_combine($this->attrs['userGroups'], $this->attrs['userGroups']);
$groups = $this->attributesAccess['groupsMembership']->attribute->getDisplayChoices();
$groups = array_merge($myGroups, $groups);
$this->attributesAccess['groupsMembership']->attribute->setChoices(array_keys($groups), array_values($groups));
$this->attributesAccess['groupsMembership']->setValue(array_keys($myGroups));
$this->templateGroups = array_keys($myGroups);
} else {
$this->templateGroups = array();
} }
$this->savedRolesMembership = $this->rolesMembership; $this->savedRolesMembership = $this->rolesMembership;
if (isset($this->attrs['userRoles'])) { if (isset($this->attrs['userRoles'])) {
unset($this->attrs['userRoles']['count']); unset($this->attrs['userRoles']['count']);
$this->rolesMembership = $this->attrs['userRoles']; $myRoles = array_combine($this->attrs['userRoles'], $this->attrs['userRoles']);
$roles = $this->attributesAccess['rolesMembership']->attribute->getDisplayChoices();
$roles = array_merge($myRoles, $roles);
$this->attributesAccess['rolesMembership']->attribute->setChoices(array_keys($roles), array_values($roles));
$this->attributesAccess['rolesMembership']->setValue(array_keys($myRoles));
$this->templateRoles = array_keys($myRoles);
} else {
$this->templateRoles = array();
} }
$this->is_account = ((count($this->rolesMembership) > 0) || (count($this->groupsMembership) > 0)); $this->is_account = ((count($this->rolesMembership) > 0) || (count($this->groupsMembership) > 0));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment