Author: jfthomps
Date: Wed Oct  5 16:26:00 2011
New Revision: 1179303

URL: http://svn.apache.org/viewvc?rev=1179303&view=rev
Log:
VCL-467
Members of a group from one affiliation have access to groups with the same 
name from other affiliations

applied changes submitted by Aaron Coburn

groups.php: modified viewGroups - check for user being editor of user group 
using editgroupid instead of editgroup (name)

privileges.php:
-modified jsonGetUserGroupMembers - use editgroupid instead of editgroup to 
determine if user has access to view user group membership
-modified checkUserHasPriv - changed user groups foreach to check on groupid in 
addition to name

Modified:
    incubator/vcl/trunk/web/.ht-inc/groups.php
    incubator/vcl/trunk/web/.ht-inc/privileges.php

Modified: incubator/vcl/trunk/web/.ht-inc/groups.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/groups.php?rev=1179303&r1=1179302&r2=1179303&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/groups.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/groups.php Wed Oct  5 16:26:00 2011
@@ -140,8 +140,8 @@ function viewGroups() {
                $editor = 0;
                if($usergroups[$id]["ownerid"] == $user["id"])
                        $owner = 1;
-               if(array_key_exists("editgroup", $usergroups[$id]) &&
-                  in_array($usergroups[$id]["editgroup"], $user["groups"]))
+               if(array_key_exists("editgroupid", $usergroups[$id]) &&
+                  array_key_exists($usergroups[$id]["editgroupid"], 
$user["groups"]))
                        $editor = 1;
                if(! $owner && ! $editor)
                        continue;

Modified: incubator/vcl/trunk/web/.ht-inc/privileges.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/privileges.php?rev=1179303&r1=1179302&r2=1179303&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/privileges.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/privileges.php Wed Oct  5 16:26:00 2011
@@ -1713,7 +1713,8 @@ function jsonGetUserGroupMembers() {
        $usergrpid = processInputVar('groupid', ARG_NUMERIC);
        $domid = processInputVar('domid', ARG_STRING);
        $query = "SELECT g.ownerid, "
-              .        "g2.name AS editgroup "
+              .        "g2.name AS editgroup, "
+              .        "g2.editusergroupid AS editgroupid "
               . "FROM usergroup g "
               . "LEFT JOIN usergroup g2 ON (g.editusergroupid = g2.id) "
               . "WHERE g.id = $usergrpid";
@@ -1725,7 +1726,7 @@ function jsonGetUserGroupMembers() {
                sendJSON($arr);
                return;
        }
-       if($grpdata["ownerid"] != $user["id"] && ! 
(in_array($grpdata["editgroup"], $user["groups"]))) {
+       if($grpdata["ownerid"] != $user["id"] && ! 
(array_key_exists($grpdata["editgroupid"], $user["groups"]))) {
                # user doesn't have access to view membership
                $msg = '(not authorized to view membership)';
                $arr = array('members' => $msg, 'domid' => $domid);
@@ -2637,15 +2638,18 @@ function checkUserHasPriv($priv, $uid, $
                return 1;
        }
 
-       foreach($_user["groups"] as $groupname) {
+       foreach($_user["groups"] as $groupid => $groupname) {
                // if group (has $priv at this node) ||
                # (has cascaded $priv && ! have block at this node) return 1
                if((array_key_exists($groupname, $privs["usergroups"]) &&
+                  $groupid == $privs['usergroups'][$groupname]['id'] &&
                   in_array($priv, $privs["usergroups"][$groupname]['privs'])) 
||
                   ((array_key_exists($groupname, $cascadePrivs["usergroups"]) 
&&
+                  $groupid == $cascadePrivs['usergroups'][$groupname]['id'] &&
                   in_array($priv, 
$cascadePrivs["usergroups"][$groupname]['privs'])) &&
                   (! array_key_exists($groupname, $privs["usergroups"]) ||
-                  ! in_array("block", 
$privs["usergroups"][$groupname]['privs'])))) {
+                       (! in_array("block", 
$privs["usergroups"][$groupname]['privs']) && 
+                  $groupid == $privs['usergroups'][$groupname]['id'])))) {
                        $_SESSION['userhaspriv'][$key] = 1;
                        return 1;
                }


Reply via email to