Skip to content
Permalink
Browse files Browse the repository at this point in the history
security: [authkey:add] Restrict creation of API keys for users in th…
…e same org and for other org_admins
  • Loading branch information
mokaddem committed Feb 23, 2023
1 parent f18cde8 commit 7ccf925
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions src/Controller/AuthKeysController.php
Expand Up @@ -71,8 +71,12 @@ public function add()
if (empty($currentUser['role']['perm_org_admin'])) {
$userConditions['id'] = $currentUser['id'];
} else {
$role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0])->all()->extract('id')->toList();
$userConditions['role_id IN'] = $role_ids;
$role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0, 'perm_org_admin' => 0])->all()->extract('id')->toList();
$userConditions['organisation_id'] = $currentUser['organisation_id'];
$userConditions['OR'] = [
['role_id IN' => $role_ids],
['id' => $currentUser['id']],
];
}
}
$users = $this->Users->find('list');
Expand Down

0 comments on commit 7ccf925

Please sign in to comment.