dev: checked incoming params for actions in UserGroupController.php (#…

…2248)
LimeSurvey · Feb 14, 2022 · f8d3254 · f8d3254
1 parent 51a6170
commit f8d3254
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 12 deletions.
diff --git a/application/controllers/UserGroupController.php b/application/controllers/UserGroupController.php
@@ -5,6 +5,18 @@
  **/
 class UserGroupController extends LSBaseController
 {
+
+    /**
+     * Run filters
+     *
+     * @return array|void
+     */
+    public function filters()
+    {
+        return [
+            'postOnly + deleteGroup, addUserToGroup, deleteUserFromGroup'
+        ];
+    }
     /**
      * @return array
      **/
@@ -217,6 +229,10 @@ public function actionViewGroup($ugid, bool $header = false)
      */
     public function actionEdit(int $ugid)
     {
+        if (!Permission::model()->hasGlobalPermission('usergroups', 'update')) {
+            Yii::app()->session['flashmessage'] = gT('Access denied!');
+            $this->redirect(App()->createUrl("/admin"));
+        }
         $ugid = (int) $ugid;
 
         $aData = [];
@@ -323,10 +339,6 @@ public function actionDeleteGroup()
     {
         if (Permission::model()->hasGlobalPermission('usergroups', 'delete')) {
             $userGroupId = Yii::app()->request->getPost("ugid");
-            if ($userGroupId === null) {
-                //try to get it from get request
-                $userGroupId = Yii::app()->request->getQuery("ugid");
-            }
 
             if (Permission::model()->hasGlobalPermission('superadmin', 'read')) {
                 //superadmin can delete
@@ -351,12 +363,12 @@ public function actionDeleteGroup()
     /**
      * Adds a user to a group
      *
-     * @param $ugid
      */
-    public function actionAddUserToGroup($ugid)
+    public function actionAddUserToGroup()
     {
         $uid = (int) Yii::app()->request->getPost('uid');
-        $checkPermissionsUserGroupExists = $this->checkBeforeAddDeleteUser($uid, (int)$ugid);
+        $ugid = (int) Yii::app()->request->getPost('ugid');
+        $checkPermissionsUserGroupExists = $this->checkBeforeAddDeleteUser($uid, $ugid);
         if (count($checkPermissionsUserGroupExists) > 0) {
             Yii::app()->user->setFlash('error', $checkPermissionsUserGroupExists['errorMsg']);
             $this->redirect(array($checkPermissionsUserGroupExists['redirectPath']));

diff --git a/application/views/userGroup/viewUserGroup_view.php b/application/views/userGroup/viewUserGroup_view.php
@@ -30,7 +30,7 @@
             <br/><br/>
             <?php if (!empty($userloop)) { ?>
                 <div class="table-responsive">
-                    <table class='users tabletable-hover'>
+                    <table class='users table table-hover'>
                         <thead>
                         <tr>
                             <th><?php eT("Action"); ?></th>
@@ -60,9 +60,6 @@ class="btn btn-default btn-sm"
                                             <input name='uid' type='hidden' value='<?php echo $currentuser["userid"]; ?>'/>
                                             <?php echo CHtml::endForm() ?>
                                             <?php
-                                        } else {
-                                            ?>
-                                            <?php
                                         }
                                         ?>
                                     </div>
@@ -81,14 +78,15 @@ class="btn btn-default btn-sm"
             <?php
             if (!empty($useradddialog)) {
                 ?>
-                <?php echo CHtml::form(["userGroup/AddUserToGroup/ugid/{$ugid}"], 'post'); ?>
+                <?php echo CHtml::form(["userGroup/AddUserToGroup"], 'post'); ?>
                 <table class='users'>
                     <tbody>
                     <tr>
                         <td>
                             <div class="row">
                                 <div class="col-lg-8">
                                     <?php echo CHtml::dropDownList('uid', '-1', $addableUsers, ['class' => "form-control col-lg-4"]); ?>
+                                    <input name='ugid' type='hidden' value='<?php echo $ugid; ?>'/>
                                 </div>
                                 <div class="col-lg-4">
                                     <input type='submit' value='<?php eT("Add user"); ?>' class="btn btn-default"/>