Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] sharing group all org flag too lax
- the all org flag was used as a trigger to make the sharing group obejct itself viewable to all local organisations
- even if the all org flag was set for an instance other than the local one

- as reported by Jeroen Pinoy
  • Loading branch information
iglocska committed Mar 1, 2021
1 parent 11c89e5 commit ca13fee
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion app/Model/SharingGroupServer.php
Expand Up @@ -98,7 +98,7 @@ public function fetchAllAuthorised()
public function checkIfAuthorised($id)
{
$sg = $this->find('first', array(
'conditions' => array('sharing_group_id' => $id, 'all_orgs' => 1),
'conditions' => array('sharing_group_id' => $id, 'all_orgs' => 1, 'server_id' => 0),
'recursive' => -1,
'fields' => array('id'),
));
Expand Down

0 comments on commit ca13fee

Please sign in to comment.