Fix user creation with FullMultipleCompanySupport enabled over API

It is currently possible as a non-superuser to create a new user or patch an existing user with arbitrary company over the API if FullMultipleCompanySupport is enabled.
Altough a highly unlikely scenario as the user needs permission to create API keys and new users, it is a bug that should get fixed.

Add a call to getIdForCurrentUser() to normalize the company_id if FullMultipleCompanySupport is enabled.
This commit is contained in:
Tobias Regnery 2024-10-16 11:18:24 +02:00
parent 2500375400
commit fdcc17ca2c

View file

@ -14,6 +14,7 @@ use App\Http\Transformers\UsersTransformer;
use App\Models\Actionlog; use App\Models\Actionlog;
use App\Models\Asset; use App\Models\Asset;
use App\Models\Accessory; use App\Models\Accessory;
use App\Models\Company;
use App\Models\Consumable; use App\Models\Consumable;
use App\Models\License; use App\Models\License;
use App\Models\User; use App\Models\User;
@ -371,6 +372,7 @@ class UsersController extends Controller
$user = new User; $user = new User;
$user->fill($request->all()); $user->fill($request->all());
$user->company_id = Company::getIdForCurrentUser($request->input('company_id'));
$user->created_by = auth()->id(); $user->created_by = auth()->id();
if ($request->has('permissions')) { if ($request->has('permissions')) {
@ -452,6 +454,10 @@ class UsersController extends Controller
$user->fill($request->all()); $user->fill($request->all());
if ($request->filled('company_id')) {
$user->company_id = Company::getIdForCurrentUser($request->input('company_id'));
}
if ($user->id == $request->input('manager_id')) { if ($user->id == $request->input('manager_id')) {
return response()->json(Helper::formatStandardApiResponse('error', null, 'You cannot be your own manager')); return response()->json(Helper::formatStandardApiResponse('error', null, 'You cannot be your own manager'));
} }