Restrict members group modification from managers to owned groups only

diff --git a/galette/lib/Galette/Controllers/Crud/MembersController.php b/galette/lib/Galette/Controllers/Crud/MembersController.php
index 0a62913e481f9f1e39c1b4ae9073ef031ad59c52..74355e1c1ce84b0bd3c1f4d980956722dbdba0a5 100644 (file)
--- a/galette/lib/Galette/Controllers/Crud/MembersController.php
+++ b/galette/lib/Galette/Controllers/Crud/MembersController.php
@@ -1651,30 +1651,32 @@ class MembersController extends CrudController
                         $success_detected[] = _T("Member account has been modified.");
                     }
 
-                    //store requested groups
-                    $groups_adh = $post['groups_adh'] ?? null;
-                    $managed_groups_adh = $post['groups_managed_adh'] ?? null;
-
-                    //add/remove user from groups
-                    $add_groups = Groups::addMemberToGroups(
-                        $member,
-                        $groups_adh
-                    );
+                    if ($this->login->isGroupManager()) {
+                        //store requested groups
+                        $groups_adh = $post['groups_adh'] ?? null;
+                        $managed_groups_adh = $post['groups_managed_adh'] ?? null;
+
+                        //add/remove user from groups
+                        $add_groups = Groups::addMemberToGroups(
+                            $member,
+                            $groups_adh
+                        );
 
-                    if ($add_groups === false) {
-                        $error_detected[] = _T("An error occurred adding member to its groups.");
-                    }
+                        if ($add_groups === false) {
+                            $error_detected[] = _T("An error occurred adding member to its groups.");
+                        }
 
-                    //add/remove manager from groups
-                    $add_groups = Groups::addMemberToGroups(
-                        $member,
-                        $managed_groups_adh,
-                        true
-                    );
-                    $member->loadGroups();
+                        //add/remove manager from groups
+                        $add_groups = Groups::addMemberToGroups(
+                            $member,
+                            $managed_groups_adh,
+                            true
+                        );
+                        $member->loadGroups();
 
-                    if ($add_groups === false) {
-                        $error_detected[] = _T("An error occurred adding member to its groups as manager.");
+                        if ($add_groups === false) {
+                            $error_detected[] = _T("An error occurred adding member to its groups as manager.");
+                        }
                     }
                 } else {
                     //something went wrong :'(

diff --git a/galette/lib/Galette/Core/Authentication.php b/galette/lib/Galette/Core/Authentication.php
index a59d60aaaa30bb404d7c2e4b9bc18f05fd1222e6..30422b16b79c6a420714daa4edf708751e4bcacf 100644 (file)
--- a/galette/lib/Galette/Core/Authentication.php
+++ b/galette/lib/Galette/Core/Authentication.php
@@ -251,6 +251,16 @@ abstract class Authentication
         return $manager;
     }
 
+    /**
+     * Get managed groups
+     *
+     * @return array
+     */
+    public function getManagedGroups(): array
+    {
+        return $this->managed_groups;
+    }
+
     /**
      * Is user currently up to date?
      * An up to date member is active and either due free, or with up to date

diff --git a/galette/lib/Galette/Repository/Groups.php b/galette/lib/Galette/Repository/Groups.php
index 3674c7fad19f97cb2aea98dfa6190fb0c49ebeb2..49dad4b0062c5d89d055381e583efa945159a5cc 100644 (file)
--- a/galette/lib/Galette/Repository/Groups.php
+++ b/galette/lib/Galette/Repository/Groups.php
@@ -260,7 +260,13 @@ class Groups
      */
     public static function addMemberToGroups($adh, $groups, $manager = false, $transaction = false)
     {
-        global $zdb;
+        global $zdb, $login;
+
+        $managed_groups = [];
+        if (!$login->isSuperAdmin() && !$login->isAdmin() && !$login->isStaff()) {
+            $managed_groups = $login->getManagedGroups();
+        }
+
         try {
             if ($transaction === false) {
                 $zdb->connection->beginTransaction();
@@ -276,6 +282,9 @@ class Groups
             //first, remove current groups members
             $delete = $zdb->delete($table);
             $delete->where([Adherent::PK => $adh->id]);
+            if (count($managed_groups)) {
+                $delete->where->in(Group::PK, $managed_groups);
+            }
             $zdb->execute($delete);
 
             $msg = null;
@@ -303,6 +312,10 @@ class Groups
                 foreach ($groups as $group) {
                     list($gid, $gname) = explode('|', $group);
 
+                    if (count($managed_groups) && !in_array($gid, $managed_groups)) {
+                        continue;
+                    }
+
                     $result = $stmt->execute(
                         array(
                             'group' => $gid,