Skip to content

Commit

Permalink
#10738 Prevent imports of users with ROLE_ID_SITE_ADMIN
Browse files Browse the repository at this point in the history
  • Loading branch information
@asmecher
asmecher committed Dec 18, 2024
1 parent d9f0070 commit a3cf578
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 1 deletion.
3 changes: 3 additions & 0 deletions classes/security/RoleDAO.inc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,9 @@ function getByUserIdGroupedByContext($userId) {

$roles = array();
while ($userGroup = $userGroupsFactory->next()) {
// The site admin role MUST only be present for context ID 0.
if ($userGroup->getContextId() != 0 && $userGroup->getRoleId() == ROLE_ID_SITE_ADMIN) continue;

$role = $roleDao->newDataObject();
$role->setRoleId($userGroup->getRoleId());
$roles[$userGroup->getContextId()][$userGroup->getRoleId()] = $role;
Expand Down
1 change: 1 addition & 0 deletions controllers/grid/plugins/PluginGridRow.inc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ function initialize($request, $template = null) {
'delete'
));

import('lib.pkp.classes.linkAction.request.AjaxModal');
$this->addAction(new LinkAction(
'upgrade',
new AjaxModal(
Expand Down
8 changes: 7 additions & 1 deletion plugins/importexport/users/filter/NativeXmlUserGroupFilter.inc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ function handleElement($node) {
}

for ($n = $node->firstChild; $n !== null; $n=$n->nextSibling) if (is_a($n, 'DOMElement')) switch($n->tagName) {
case 'role_id': $userGroup->setRoleId($n->textContent); break;
case 'role_id': $userGroup->setRoleId((int) $n->textContent); break;
case 'is_default': $userGroup->setDefault($n->textContent); break;
case 'show_title': $userGroup->setShowTitle($n->textContent); break;
case 'name': $userGroup->setName($n->textContent, $n->getAttribute('locale')); break;
Expand All @@ -90,6 +90,12 @@ function handleElement($node) {
case 'permit_metadata_edit': $userGroup->setPermitMetadataEdit($n->textContent); break;
}

if (!in_array(
$userGroup->getRoleId(),
[ROLE_ID_MANAGER, ROLE_ID_SUB_EDITOR, ROLE_ID_AUTHOR, ROLE_ID_REVIEWER, ROLE_ID_ASSISTANT, ROLE_ID_READER, ROLE_ID_SUBSCRIPTION_MANAGER]
)) {
fatalError('Unacceptable role_id ' . $userGroup->getRoleId());
}
$userGroupId = $userGroupDao->insertObject($userGroup);

$stageNodeList = $node->getElementsByTagNameNS($deployment->getNamespace(), 'stage_assignments');
Expand Down

0 comments on commit a3cf578

Please sign in to comment.