diff --git a/application/controllers/UserManagementController.php b/application/controllers/UserManagementController.php index 4f77cef7e31..0baa408e734 100644 --- a/application/controllers/UserManagementController.php +++ b/application/controllers/UserManagementController.php @@ -1018,21 +1018,23 @@ public function actionBatchSendAndResetLoginData() $aResults[$user]['title'] = $oUser->users_name; //User should not reset and resend email to himself throw massive action if ($oUser->uid == Yii::app()->user->id) { + $aResults[$user]['result'] = false; $aResults[$user]['error'] = gT("Error! Please change your password from your profile settings."); - } else { - //not modify original superuser - if ($oUser->uid == 1) { - $aResults[$user]['error'] = gT("Error! You do not have the permission to edit this user."); - } else { - $passwordManagement = new \LimeSurvey\Models\Services\PasswordManagement($oUser); - $successData = $passwordManagement->sendPasswordLinkViaEmail(\LimeSurvey\Models\Services\PasswordManagement::EMAIL_TYPE_RESET_PW); - $success = $successData['success']; - if (!$success) { - $aResults[$user]['error'] = sprintf(gT("Error: New password could not be sent to %s"), $oUser->email); - } - $aResults[$user]['result'] = $success; - } + continue; + } + $userManager = new UserManager(Yii::app()->user, $oUser); + if (!$userManager->canEdit()) { + $aResults[$user]['result'] = false; + $aResults[$user]['error'] = gT("Error! You do not have the permission to edit this user."); + continue; } + $passwordManagement = new \LimeSurvey\Models\Services\PasswordManagement($oUser); + $successData = $passwordManagement->sendPasswordLinkViaEmail(\LimeSurvey\Models\Services\PasswordManagement::EMAIL_TYPE_RESET_PW); + $success = $successData['success']; + if (!$success) { + $aResults[$user]['error'] = sprintf(gT("Error: New password could not be sent to %s"), $oUser->email); + } + $aResults[$user]['result'] = $success; } $tableLabels = array(gT('User ID'), gT('Username'), gT('Status')); @@ -1066,8 +1068,22 @@ public function actionBatchPermissions() $aPermissions = Yii::app()->request->getPost('Permission', []); $results = []; foreach ($userIds as $iUserId) { - $aPermissionsResults = $this->applyPermissionFromArray($iUserId, $aPermissions); $oUser = User::model()->findByPk($iUserId); + $results[$iUserId] = [ + 'title' => $oUser->users_name + ]; + if ($oUser->uid == Yii::app()->user->id) { + $aResults[$user]['result'] = false; + $aResults[$user]['error'] = gT("You can not update your own permission."); + continue; + } + $userManager = new UserManager(Yii::app()->user, $oUser); + if (!$userManager->canAssignPermissions()) { + $results[$iUserId]['result'] = false; + $results[$iUserId]['error'] = gT("You are not allowed to assign permissions to this user."); + continue; + } + $aPermissionsResults = $this->applyPermissionFromArray($iUserId, $aPermissions); $oUser->modified = date('Y-m-d H:i:s'); $results[$iUserId]['result'] = $oUser->save(); $results[$iUserId]['title'] = $oUser->users_name; @@ -1104,47 +1120,29 @@ public function actionBatchPermissions() public function actionBatchAddGroup() { if (!Permission::model()->hasGlobalPermission('users', 'update')) { - return $this->renderPartial( - 'partial/error', - ['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true] - ); + throw new CHttpException(403, gT("You do not have permission to access this page.")); } $aItems = json_decode(Yii::app()->request->getPost('sItems', '')) ?? []; - $iUserGroupId = Yii::app()->request->getPost('addtousergroup'); - - if ($iUserGroupId) { - $oUserGroup = UserGroup::model()->findByPk($iUserGroupId); - /* check if have permission */ - if ( - Permission::model()->hasGlobalPermission('usergroups', 'update') /* Global update permission @see UserGroupController->actionEdit */ - || $oUserGroup->requestEditGroup($oUserGroup->ugid, Yii::app()->session['loginID']) /* This user group permission */ - ) { - $aResults = []; - foreach ($aItems as $sItem) { - $aResults[$sItem]['title'] = ''; - $model = $this->loadModel($sItem); - $aResults[$sItem]['title'] = $model->users_name; - if (!$oUserGroup->hasUser($sItem)) { - $aResults[$sItem]['result'] = $oUserGroup->addUser($sItem); - } else { - $aResults[$sItem]['result'] = false; - $aResults[$sItem]['error'] = gT('User is already a member of the group.'); - } - } + $iUserGroupId = App()->request->getPost('addtousergroup'); + $oUserGroup = UserGroup::model()->findByPk($iUserGroupId); + if (!$oUserGroup) { + throw new CHttpException(404, gT("Group not found")); + } + /* check if have permission */ + if (!Permission::model()->hasGlobalPermission('superadmin', 'read') && $oUserGroup->requestEditGroup($oUserGroup->ugid, App()->getCurrentUserId())) { + throw new CHttpException(403, gT("You do not have permission to access this page.")); + } + + $aResults = []; + foreach ($aItems as $sItem) { + $aResults[$sItem]['title'] = ''; + $model = $this->loadModel($sItem); + $aResults[$sItem]['title'] = $model->users_name; + if (!$oUserGroup->hasUser($sItem)) { + $aResults[$sItem]['result'] = $oUserGroup->addUser($sItem); } else { - $aResults[0] = [ - 'title' => gT("All"), - 'result' => false, - 'error' => gT('You don\'t have permission on this group.') - ]; - } - } else { - foreach ($aItems as $sItem) { - $aResults[$sItem]['title'] = ''; - $model = $this->loadModel($sItem); - $aResults[$sItem]['title'] = $model->users_name; $aResults[$sItem]['result'] = false; - $aResults[$sItem]['error'] = gT('No user group selected.'); + $aResults[$sItem]['error'] = gT('User is already a member of the group.'); } } @@ -1169,11 +1167,8 @@ public function actionBatchAddGroup() public function actionBatchApplyRoles() { /* Need super admin roles */ - if (!Permission::model()->hasGlobalPermission('superadmin')) { - return $this->renderPartial( - 'partial/error', - ['errors' => [gT("You do not have permission to access this page.")], 'noButton' => true] - ); + if (!Permission::model()->hasGlobalPermission('superadmin', 'create')) { + throw new CHttpException(403, gT("You do not have permission to access this page.")); } $aItems = json_decode(Yii::app()->request->getPost('sItems', '')) ?? []; $aUserRoleIds = Yii::app()->request->getPost('roleselector'); @@ -1183,16 +1178,22 @@ public function actionBatchApplyRoles() $aResults[$sItem]['title'] = ''; $model = $this->loadModel($sItem); $aResults[$sItem]['title'] = $model->users_name; - if (Permission::isForcedSuperAdmin($sItem)) { - /* Show an error for forced super admin, this don't disable for DB superadmin */ + if ($model->uid == Yii::app()->user->id) { + $aResults[$user]['result'] = false; + $aResults[$user]['error'] = gT("You can not update your own roles."); + continue; + } + $userManager = new UserManager(Yii::app()->user, $model); + if (!$userManager->canAssignRole()) { $aResults[$sItem]['result'] = false; - $aResults[$sItem]['error'] = gT('The superadmin role cannot be changed.'); + $aResults[$sItem]['error'] = gT('You can not set role to this user.'); } else { foreach ($aUserRoleIds as $iUserRoleId) { $aResults[$sItem]['result'] = Permissiontemplates::model()->applyToUser($sItem, $iUserRoleId); } } } + $tableLabels = array(gT('User ID'), gT('Username'), gT('Status')); Yii::app()->getController()->renderPartial(