Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge pull request #375 from halkyon/onchangegroups_bug

Member::onChangeGroups() should allow ADMIN permission grant if logged in user is admin
  • Loading branch information...
commit cbc5d3c5e856cdf30cd0a04b4eb1d20013ecaf19 2 parents bd6ca59 + 8a6671d
@sminnee sminnee authored
Showing with 11 additions and 3 deletions.
  1. +3 −3 security/Member.php
  2. +8 −0 tests/security/MemberTest.php
View
6 security/Member.php
@@ -702,9 +702,9 @@ function onAfterWrite() {
* @return boolean
*/
function onChangeGroups($ids) {
- // Filter out admin groups to avoid privilege escalation,
- // unless the current user is an admin already
- if(!Permission::checkMember($this, 'ADMIN')) {
+ // Filter out admin groups to avoid privilege escalation,
+ // unless the current user is an admin already OR the logged in user is an admin
+ if(!(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN'))) {
$adminGroups = Permission::get_groups_by_permission('ADMIN');
$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
return count(array_intersect($ids, $adminGroupIDs)) == 0;
View
8 tests/security/MemberTest.php
@@ -551,6 +551,14 @@ function testOnChangeGroups() {
$staffMember->onChangeGroups(array($newAdminGroup->ID)),
'Adding new admin group relation is not allowed for non-admin members'
);
+
+ $this->session()->inst_set('loggedInAs', $adminMember->ID);
+ $this->assertTrue(
+ $staffMember->onChangeGroups(array($newAdminGroup->ID)),
+ 'Adding new admin group relation is allowed for normal users, when granter is logged in as admin'
+ );
+ $this->session()->inst_set('loggedInAs', null);
+
$this->assertTrue(
$adminMember->onChangeGroups(array($newAdminGroup->ID)),
'Adding new admin group relation is allowed for admin members'
Please sign in to comment.
Something went wrong with that request. Please try again.