mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-02 14:18:46 +02:00
[ss-2018-001] Restrict non-admins from being assigned to admin groups
This commit is contained in:
parent
abbc4b72be
commit
5771388821
@ -1042,15 +1042,24 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
|||||||
* @return boolean True if the change can be accepted
|
* @return boolean True if the change can be accepted
|
||||||
*/
|
*/
|
||||||
public function onChangeGroups($ids) {
|
public function onChangeGroups($ids) {
|
||||||
// unless the current user is an admin already OR the logged in user is an admin
|
// Ensure none of these match disallowed list
|
||||||
if(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
|
$disallowedGroupIDs = $this->disallowedGroups();
|
||||||
return true;
|
return count(array_intersect($ids, $disallowedGroupIDs)) == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If there are no admin groups in this set then it's ok
|
/**
|
||||||
$adminGroups = Permission::get_groups_by_permission('ADMIN');
|
* List of group IDs this user is disallowed from
|
||||||
$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
|
*
|
||||||
return count(array_intersect($ids, $adminGroupIDs)) == 0;
|
* @return int[] List of group IDs
|
||||||
|
*/
|
||||||
|
protected function disallowedGroups() {
|
||||||
|
// unless the current user is an admin already OR the logged in user is an admin
|
||||||
|
if (Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
|
||||||
|
return array();
|
||||||
|
}
|
||||||
|
|
||||||
|
// Non-admins may not belong to admin groups
|
||||||
|
return Permission::get_groups_by_permission('ADMIN')->column('ID');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1465,8 +1474,14 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
|||||||
$fields->removeByName('LoggedPasswords');
|
$fields->removeByName('LoggedPasswords');
|
||||||
|
|
||||||
if(Permission::check('EDIT_PERMISSIONS')) {
|
if(Permission::check('EDIT_PERMISSIONS')) {
|
||||||
|
// Filter allowed groups
|
||||||
|
$groups = Group::get();
|
||||||
|
$disallowedGroupIDs = $this->disallowedGroups();
|
||||||
|
if ($disallowedGroupIDs) {
|
||||||
|
$groups = $groups->exclude('ID', $disallowedGroupIDs);
|
||||||
|
}
|
||||||
$groupsMap = array();
|
$groupsMap = array();
|
||||||
foreach(Group::get() as $group) {
|
foreach ($groups as $group) {
|
||||||
// Listboxfield values are escaped, use ASCII char instead of »
|
// Listboxfield values are escaped, use ASCII char instead of »
|
||||||
$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
|
$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
|
||||||
}
|
}
|
||||||
|
@ -665,6 +665,36 @@ class MemberTest extends FunctionalTest {
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensure DirectGroups listbox disallows admin-promotion
|
||||||
|
*/
|
||||||
|
public function testAllowedGroupsListbox() {
|
||||||
|
/** @var Group $adminGroup */
|
||||||
|
$adminGroup = $this->objFromFixture('Group', 'admingroup');
|
||||||
|
/** @var Member $staffMember */
|
||||||
|
$staffMember = $this->objFromFixture('Member', 'staffmember');
|
||||||
|
/** @var Member $adminMember */
|
||||||
|
$adminMember = $this->objFromFixture('Member', 'admin');
|
||||||
|
|
||||||
|
// Ensure you can see the DirectGroups box
|
||||||
|
$this->logInWithPermission('EDIT_PERMISSIONS');
|
||||||
|
|
||||||
|
// Non-admin member field contains non-admin groups
|
||||||
|
/** @var ListboxField $staffListbox */
|
||||||
|
$staffListbox = $staffMember->getCMSFields()->dataFieldByName('DirectGroups');
|
||||||
|
$this->assertArrayNotHasKey($adminGroup->ID, $staffListbox->getSource());
|
||||||
|
|
||||||
|
// admin member field contains admin group
|
||||||
|
/** @var ListboxField $adminListbox */
|
||||||
|
$adminListbox = $adminMember->getCMSFields()->dataFieldByName('DirectGroups');
|
||||||
|
$this->assertArrayHasKey($adminGroup->ID, $adminListbox->getSource());
|
||||||
|
|
||||||
|
// If logged in as admin, staff listbox has admin group
|
||||||
|
$this->logInWithPermission('ADMIN');
|
||||||
|
$staffListbox = $staffMember->getCMSFields()->dataFieldByName('DirectGroups');
|
||||||
|
$this->assertArrayHasKey($adminGroup->ID, $staffListbox->getSource());
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Test Member_GroupSet::add
|
* Test Member_GroupSet::add
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user