Merge pull request #375 from halkyon/onchangegroups_bug

Member::onChangeGroups() should allow ADMIN permission grant if logged in user is admin
This commit is contained in:
Sam Minnée 2012-04-26 20:26:39 -07:00
commit cbc5d3c5e8
2 changed files with 11 additions and 3 deletions

View File

@ -702,9 +702,9 @@ class Member extends DataObject implements TemplateGlobalProvider {
* @return boolean
*/
function onChangeGroups($ids) {
// Filter out admin groups to avoid privilege escalation,
// unless the current user is an admin already
if(!Permission::checkMember($this, 'ADMIN')) {
// Filter out admin groups to avoid privilege escalation,
// unless the current user is an admin already OR the logged in user is an admin
if(!(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN'))) {
$adminGroups = Permission::get_groups_by_permission('ADMIN');
$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
return count(array_intersect($ids, $adminGroupIDs)) == 0;

View File

@ -551,6 +551,14 @@ class MemberTest extends FunctionalTest {
$staffMember->onChangeGroups(array($newAdminGroup->ID)),
'Adding new admin group relation is not allowed for non-admin members'
);
$this->session()->inst_set('loggedInAs', $adminMember->ID);
$this->assertTrue(
$staffMember->onChangeGroups(array($newAdminGroup->ID)),
'Adding new admin group relation is allowed for normal users, when granter is logged in as admin'
);
$this->session()->inst_set('loggedInAs', null);
$this->assertTrue(
$adminMember->onChangeGroups(array($newAdminGroup->ID)),
'Adding new admin group relation is allowed for admin members'