DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2024-12-25 13:44:06 -08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

fixed checking permissions for users with no permissions set (#6229)

Browse source 
When a user has no permissions set (=NULL) in the database (like after an
LDAP import) but is a member of a group with permissions, those group
permissions would not have be applied, effectively denying every access
regardless of group permissions.
This commit is contained in:
nix 2018-09-25 22:24:50 +02:00 committed by snipe
parent 115f718cd9
commit f85e3edfc7
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/Models/User.php
View file

@ -126,12 +126,13 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
$user_permissions = json_decode($this->permissions, true);
$is_user_section_permissions_set = ($user_permissions != '') && array_key_exists($section, $user_permissions);
//If the user is explicitly granted, return true
if (($user_permissions!='') && ((array_key_exists($section, $user_permissions)) && ($user_permissions[$section]=='1'))) {
if ($is_user_section_permissions_set && ($user_permissions[$section]=='1')) {
return true;
}
// If the user is explicitly denied, return false
if (($user_permissions=='') || array_key_exists($section, $user_permissions) && ($user_permissions[$section]=='-1')) {
if ($is_user_section_permissions_set && ($user_permissions[$section]=='-1')) {
return false;
}