KTS-2655

"Error Message On Removing Permissions but action goes ahead anyway" Fixed. Added a check to ensure the user doesn't removed his/her own permission to manage security. Committed by: Megan Watson Reviewed by: Jonathan Byrne git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@8162 c91229c3-7414-0410-bfa2-8a42b809f60b

KTS-2655
"Error Message On Removing Permissions but action goes ahead anyway" Fixed. Added a check to ensure the user doesn't removed his/her own permission to manage security. Committed by: Megan Watson Reviewed by: Jonathan Byrne git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@8162 c91229c3-7414-0410-bfa2-8a42b809f60b
megan_w
1 parent 0b936ff5
Showing 2 changed files with 51 additions and 13 deletions
lib/groups/GroupUtil.php
plugins/ktcore/folder/Permissions.php
@@ -7,32 +7,32 @@
  * KnowledgeTree Open Source Edition
  * Document Management Made Simple
  * Copyright (C) 2004 - 2008 The Jam Warehouse Software (Pty) Limited
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License version 3 as published by the
  * Free Software Foundation.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  * details.
- * 
+ *
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- * 
+ *
  * You can contact The Jam Warehouse Software (Pty) Limited, Unit 1, Tramber Place,
  * Blake Street, Observatory, 7925 South Africa. or email info@knowledgetree.com.
- * 
+ *
  * The interactive user interfaces in modified source and object code versions
  * of this program must display Appropriate Legal Notices, as required under
  * Section 5 of the GNU General Public License version 3.
- * 
+ *
  * In accordance with Section 7(b) of the GNU General Public License version 3,
  * these Appropriate Legal Notices must retain the display of the "Powered by
- * KnowledgeTree" logo and retain the original copyright notice. If the display of the 
+ * KnowledgeTree" logo and retain the original copyright notice. If the display of the
  * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
- * must display the words "Powered by KnowledgeTree" and retain the original 
- * copyright notice. 
+ * must display the words "Powered by KnowledgeTree" and retain the original
+ * copyright notice.
  * Contributor( s): ______________________________________
  */
@@ -304,6 +304,26 @@ class GroupUtil {
     }
     // }}}
+    function checkUserInGroups($iUserId, $aGroupIds) {
+        $sGroupIds = implode(', ', $aGroupIds);
+
+        global $default;
+        $sTable = $default->users_groups_table;
+        $sQuery = "SELECT count(*) AS cnt FROM $sTable WHERE user_id = ? AND group_id IN (?)";
+        $aParams = array($iUserId, $sGroupIds);
+
+        $res = DBUtil::getOneResult(array($sQuery, $aParams));
+
+        if(PEAR::isError($res) || empty($res)){
+            return false;
+        }
+
+        if($res['cnt'] > 0){
+            return true;
+        }
+        return false;
+    }
+
     // {{{
     function buildGroupArray() {
         global $default;
@@ -453,11 +453,29 @@ class KTFolderPermissionsAction extends KTFolderAction {
         if (!KTBrowseUtil::inAdminMode($this->oUser, $this->oFolder)) {
             $this->oValidator->userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oFolder, $aOptions);
         }
+
+        $aFoo = $_REQUEST['foo'];
+        $aPermissions = KTPermission::getList();
+
+        // Check which groups have permission to manage security
+        $aNewGroups = $aFoo[4]['group'];
+        $aNewRoles = (isset($aFoo[4]['role']) ? $aFoo[4]['role'] : array());
+
+        // Ensure the user is not removing his/her own permission to update the folder permissions (manage security)
+        if(!in_array(-3, $aNewRoles)){
+            $iUserId = $this->oUser->getId();
+            if(!GroupUtil::checkUserInGroups($iUserId, $aNewGroups)){
+                // If user no longer has permission, return an error.
+                $this->addErrorMessage(_kt('The selected permissions cannot be updated. You will no longer have permission to manage security on this folder.'));
+                $this->redirectTo('edit', 'fFolderId=' . $this->oFolder->getId());
+                exit(0);
+            }
+        }
+
+
         require_once(KT_LIB_DIR . '/documentmanagement/observers.inc.php');
         $oPO = KTPermissionObject::get($this->oFolder->getPermissionObjectId());
-        $aFoo = $_REQUEST['foo'];
-        $aPermissions = KTPermission::getList();
         foreach ($aPermissions as $oPermission) {
             $iPermId = $oPermission->getId();
@@ -471,11 +489,11 @@ class KTFolderPermissionsAction extends KTFolderAction {
             'transactionNS' => 'ktcore.transactions.permissions_change',
             'userid' => $_SESSION['userID'],
             'ip' => Session::getClientIP(),
-        ));
+            ));
         $aOptions = array(
             'defaultmessage' => _kt('Error updating permissions'),
             'redirect_to' => array('edit', sprintf('fFolderId=%d', $this->oFolder->getId())),
-        );
+            );
         $this->oValidator->notErrorFalse($oTransaction, $aOptions);
         $po =& new JavascriptObserver($this);