Do not makes group editable if the user is not an admin

This fixes a bug where the field was (correctly) disabled if the editing user isn’t a superadmin, but because the field was disabled, it would clear the permission groups.
2024-12-25 13:44:06 -08:00 · 2016-10-31 18:57:35 -07:00 · 2016-10-31 18:57:35 -07:00 · 8323ed27c2
parent c47d391946
commit 8323ed27c2
2 changed files with 41 additions and 24 deletions
--- a/app/Http/Controllers/UsersController.php
+++ b/app/Http/Controllers/UsersController.php
@ -315,12 +315,16 @@ class UsersController extends Controller
            return redirect()->route('users')->with('error', $error);
        }

-        // First handle anything exclusive to editing.
+
+        // Only save groups if the user is a super user
+        if (Auth::user()->isSuperUser()) {
            if ($request->has('groups')) {
                $user->groups()->sync($request->input('groups'));
            } else {
                $user->groups()->sync(array());
            }
+        }
+
        // Do we want to update the user password?
        if ($request->has('password')) {
            $user->password = bcrypt($request->input('password'));
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@ -368,14 +368,25 @@
          <div class="form-group{{ $errors->has('groups') ? ' has-error' : '' }}">
            <label class="col-md-3 control-label" for="groups"> {{ trans('general.groups') }}</label>
            <div class="col-md-5">
+
+                @if ((Config::get('app.lock_passwords') || ($user->id==Auth::user()->id) || (!Auth::user()->isSuperUser())))
+
+                    @if (count($userGroups->keys()) > 0)
+                        <ul>
+                        @foreach ($groups as $id => $group)
+                            {!! ($userGroups->keys()->contains($id) ? '<li>'.e($group).'</li>' : '') !!}
+                        @endforeach
+                        </ul>
+                    @endif
+
+                    <span class="help-block">Only superadmins may edit group memberships.</p>
+                    @else
                    <div class="controls">
                        <select
                                name="groups[]"
                                id="groups[]"
                                multiple="multiple"
-                  class="form-control"
-                  {{ ((Config::get('app.lock_passwords') || ($user->id==Auth::user()->id) || (!Auth::user()->isSuperUser())) ? ' disabled' : '') }}
-                >
+                                class="form-control">

                            @foreach ($groups as $id => $group)
                                <option value="{{ $id }}"
@ -389,6 +400,8 @@
                          {{ trans('admin/users/table.groupnotes') }}
                        </span>
                    </div>
+                @endif
+
            </div>
          </div>
          <!-- Email user -->