mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge pull request #375 from halkyon/onchangegroups_bug
Member::onChangeGroups() should allow ADMIN permission grant if logged in user is admin
This commit is contained in:
commit
cbc5d3c5e8
@ -703,8 +703,8 @@ class Member extends DataObject implements TemplateGlobalProvider {
|
||||
*/
|
||||
function onChangeGroups($ids) {
|
||||
// Filter out admin groups to avoid privilege escalation,
|
||||
// unless the current user is an admin already
|
||||
if(!Permission::checkMember($this, 'ADMIN')) {
|
||||
// unless the current user is an admin already OR the logged in user is an admin
|
||||
if(!(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN'))) {
|
||||
$adminGroups = Permission::get_groups_by_permission('ADMIN');
|
||||
$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
|
||||
return count(array_intersect($ids, $adminGroupIDs)) == 0;
|
||||
|
@ -551,6 +551,14 @@ class MemberTest extends FunctionalTest {
|
||||
$staffMember->onChangeGroups(array($newAdminGroup->ID)),
|
||||
'Adding new admin group relation is not allowed for non-admin members'
|
||||
);
|
||||
|
||||
$this->session()->inst_set('loggedInAs', $adminMember->ID);
|
||||
$this->assertTrue(
|
||||
$staffMember->onChangeGroups(array($newAdminGroup->ID)),
|
||||
'Adding new admin group relation is allowed for normal users, when granter is logged in as admin'
|
||||
);
|
||||
$this->session()->inst_set('loggedInAs', null);
|
||||
|
||||
$this->assertTrue(
|
||||
$adminMember->onChangeGroups(array($newAdminGroup->ID)),
|
||||
'Adding new admin group relation is allowed for admin members'
|
||||
|
Loading…
Reference in New Issue
Block a user