fix: add security check permissions on groups add / remove

smarcet · smarcet · commit a686682cb499 · 2024-09-07T14:16:15.000-03:00
Change-Id: I01b63a2ee5004d9200f08ba48a620dea5bf05fd0
diff --git a/app/Services/OpenId/UserService.php b/app/Services/OpenId/UserService.php
@@ -255,8 +255,8 @@ public function update(int $id, array $payload): IEntity
 
             $user = $this->repository->getById($id);
 
-            if (is_null($user) || !$user instanceof User)
-                throw new EntityNotFoundException("user not found");
+            if (!$user instanceof User)
+                throw new EntityNotFoundException("User not found.");
 
             $former_email = $user->getEmail();
             $former_password = $user->getPassword();
@@ -298,8 +298,7 @@ public function update(int $id, array $payload): IEntity
                 foreach ($payload['groups'] as $group_id) {
                     $group = $this->group_repository->getById($group_id);
                     if (!$group instanceof Group)
-                        throw new EntityNotFoundException("group not found");
-
+                        throw new EntityNotFoundException("Group not found");
                     $user->addToGroup($group);
                 }
             }
diff --git a/app/libs/Auth/Models/User.php b/app/libs/Auth/Models/User.php
@@ -22,6 +22,7 @@
 use App\libs\Utils\TextUtils;
 use Doctrine\ORM\Event\PreUpdateEventArgs;
 use GuzzleHttp\Exception\RequestException;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Event;
@@ -717,8 +718,50 @@ public function belongToGroup(string $slug): bool
      */
     public function addToGroup(Group $group)
     {
+        Log::debug
+        (
+            sprintf
+            (
+                "User::addToGroup user %s user current groups  %s group 2 add %s",
+                $this->id,
+                $this->getGroupsNice(),
+                $group->getSlug()
+            )
+        );
+
+        $current_user = Auth::user();
+        if($current_user instanceof User){
+            Log::debug
+            (
+                sprintf
+                (
+                    "User::addToGroup current user %s current user groups  %s user %s  user current groups  %s group 2 add %s",
+                    $current_user->getId(),
+                    $current_user->getGroupsNice(),
+                    $this->id,
+                    $this->getGroupsNice(),
+                    $group->getSlug()
+                )
+            );
+
+            if(!$current_user->isActive())
+                throw new ValidationException("Current User is not active.");
+
+            if(!$current_user->isSuperAdmin() && $group->getSlug() != IGroupSlugs::RawUsersGroup) {
+                $current_user->deActivate();
+                throw new ValidationException
+                (
+                    sprintf(
+                        "Only Super Admins can add users to groups other than %s.",
+                        IGroupSlugs::RawUsersGroup
+                    )
+                );
+            }
+        }
+
         if ($this->groups->contains($group))
             throw new ValidationException("User is already assigned to this group.");
+
         $this->groups->add($group);
     }
 
@@ -727,6 +770,43 @@ public function addToGroup(Group $group)
      */
     public function removeFromGroup(Group $group)
     {
+        Log::debug
+        (
+            sprintf
+            (
+                "User::removeFromGroup user %s  user current groups  %s group 2 remove %s",
+                $this->id,
+                $this->getGroupsNice(),
+                $group->getSlug()
+            )
+        );
+        $current_user = Auth::user();
+        if($current_user instanceof User){
+            Log::debug
+            (
+                sprintf
+                (
+                    "User::removeFromGroup current user %s current user groups  %s user %s  user current groups  %s group 2 remove %s",
+                    $current_user->getId(),
+                    $current_user->getGroupsNice(),
+                    $this->id,
+                    $this->getGroupsNice(),
+                    $group->getSlug()
+                )
+            );
+
+            if(!$current_user->isActive())
+                throw new ValidationException("Current User is not active.");
+
+            if(!$current_user->isSuperAdmin()) {
+                $current_user->deActivate();
+                throw new ValidationException
+                (
+                    "Only Super Admins can remove users from groups",
+                );
+            }
+        }
+
         if (!$this->groups->contains($group)) return;
         $this->groups->removeElement($group);
     }
