Skip to content

Commit

Permalink
Only admins can create managers accounts.
Browse files Browse the repository at this point in the history
  • Loading branch information
@corentin-soriano
corentin-soriano committed Oct 3, 2024
1 parent 9df0568 commit 55d4621
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 13 deletions.
1 change: 1 addition & 0 deletions pages/users.js.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -733,6 +733,7 @@ function(data) {
$('input[type=radio].only-admin').iCheck('enable');
$('#privilege-admin').iCheck('disable');
$('#privilege-hr').iCheck('disable');
$('#privilege-manager').iCheck('disable');
} else {
$('#privilege-admin').iCheck('disable');
$('#privilege-hr').iCheck('disable');
Expand Down
29 changes: 16 additions & 13 deletions sources/users.queries.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@

if (null !== $post_type) {
switch ($post_type) {
/*
/*
* ADD NEW USER
*/
case 'add_new_user':
Expand Down Expand Up @@ -161,6 +161,21 @@
$post_root_level = filter_var($dataReceived['form-create-root-folder'], FILTER_SANITIZE_NUMBER_INT);
$mfa_enabled = filter_var($dataReceived['mfa_enabled'], FILTER_SANITIZE_NUMBER_INT);

// Only administrators can create managers or administrators accounts.
if (((int) $is_admin === 1 && (int) $session->get('user-admin') !== 1)
|| ((int) $is_manager === 1 && (int) $session->get('user-admin') !== 1)
|| ((int) $is_hr === 1 && (int) $session->get('user-admin') !== 1)) {

echo prepareExchangedData(
array(
'error' => true,
'message' => $lang->get('error_not_allowed_to'),
),
'encode'
);
break;
}

// Empty user
if (empty($login) === true) {
echo prepareExchangedData(
Expand All @@ -182,18 +197,6 @@
);

if (DB::count() === 0) {
// check if admin role is set. If yes then check if originator is allowed
if ((int) $dataReceived['admin'] === 1 && (int) $session->get('user-admin') !== 1) {
echo prepareExchangedData(
array(
'error' => true,
'message' => $lang->get('error_not_allowed_to'),
),
'encode'
);
break;
}

// Generate pwd
$password = generateQuickPassword();

Expand Down

0 comments on commit 55d4621

Please sign in to comment.