Do not makes group editable if the user is not an admin

This fixes a bug where the field was (correctly) disabled if the editing user isn’t a superadmin, but because the field was disabled, it would clear the permission groups.
2024-12-25 13:44:06 -08:00 · 2016-10-31 18:57:35 -07:00 · 2016-10-31 18:57:35 -07:00 · 8323ed27c2
parent c47d391946
commit 8323ed27c2
2 changed files with 41 additions and 24 deletions
--- a/app/Http/Controllers/UsersController.php
+++ b/app/Http/Controllers/UsersController.php
@ -315,12 +315,16 @@ class UsersController extends Controller
            return redirect()->route('users')->with('error', $error);
        }

-        // First handle anything exclusive to editing.
-        if ($request->has('groups')) {
-            $user->groups()->sync($request->input('groups'));
-        } else {
-            $user->groups()->sync(array());
+
+        // Only save groups if the user is a super user
+        if (Auth::user()->isSuperUser()) {
+            if ($request->has('groups')) {
+                $user->groups()->sync($request->input('groups'));
+            } else {
+                $user->groups()->sync(array());
+            }
        }
+
        // Do we want to update the user password?
        if ($request->has('password')) {
            $user->password = bcrypt($request->input('password'));
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@ -368,27 +368,40 @@
          <div class="form-group{{ $errors->has('groups') ? ' has-error' : '' }}">
            <label class="col-md-3 control-label" for="groups"> {{ trans('general.groups') }}</label>
            <div class="col-md-5">
-              <div class="controls">
-                <select
-                  name="groups[]"
-                  id="groups[]"
-                  multiple="multiple"
-                  class="form-control"
-                  {{ ((Config::get('app.lock_passwords') || ($user->id==Auth::user()->id) || (!Auth::user()->isSuperUser())) ? ' disabled' : '') }}
-                >

-                @foreach ($groups as $id => $group)
-                  <option value="{{ $id }}"
-                    {{ ($userGroups->keys()->contains($id) ? ' selected="selected"' : '') }}>
-                    {{ $group }}
-                  </option>
-                @endforeach
-                </select>
+                @if ((Config::get('app.lock_passwords') || ($user->id==Auth::user()->id) || (!Auth::user()->isSuperUser())))
+
+                    @if (count($userGroups->keys()) > 0)
+                        <ul>
+                        @foreach ($groups as $id => $group)
+                            {!! ($userGroups->keys()->contains($id) ? '<li>'.e($group).'</li>' : '') !!}
+                        @endforeach
+                        </ul>
+                    @endif
+
+                    <span class="help-block">Only superadmins may edit group memberships.</p>
+                    @else
+                    <div class="controls">
+                        <select
+                                name="groups[]"
+                                id="groups[]"
+                                multiple="multiple"
+                                class="form-control">
+
+                            @foreach ($groups as $id => $group)
+                                <option value="{{ $id }}"
+                                        {{ ($userGroups->keys()->contains($id) ? ' selected="selected"' : '') }}>
+                                    {{ $group }}
+                                </option>
+                            @endforeach
+                        </select>
+
+                        <span class="help-block">
+                          {{ trans('admin/users/table.groupnotes') }}
+                        </span>
+                    </div>
+                @endif

-                <span class="help-block">
-                  {{ trans('admin/users/table.groupnotes') }}
-                </span>
-              </div>
            </div>
          </div>
          <!-- Email user -->