Users with admin-access-control-permissions RW are no longer able to change superuser permissions.

This commit is contained in:
2026-05-16 23:47:20 +02:00
parent 38f8584ecf
commit f4cd8e9cde
5 changed files with 30 additions and 7 deletions

View File

@@ -301,4 +301,5 @@ return [
'source_inserve_sync_licenses_desc' => 'This API call first executes the <b>Sync cloud distributor companies</b> action and then synchronizes all servers in an active, deleted, or trial state with Inserve licenses. It creates or updates server licenses in Inserve if they do not exist or if the license quantities differ from those in Sentri.',
'source_inserve_sync_subscriptions' => 'Sync server subscriptions',
'source_inserve_sync_subscriptions_desc' => 'This API call first executes the <b>Sync cloud distributor</b> companies action and then creates a subscription if it does not exist, or updates the subscription description if it does. It also creates subscription lines with the correct product_code entered in the <b>custom source data</b> JSON field.',
'not_allowed_to_change_due_to_group_weight' => 'You are not permitted to modify these settings because has a lower group weight, which is used to enforce hierarchy and prevent privilege escalation.',
];

View File

@@ -301,4 +301,5 @@ return [
'source_inserve_sync_licenses_desc' => 'Deze API-call voert eerst de <b>Synchroniseer cloud-distributeurbedrijven</b> actie uit en synchroniseert daarna alle servers in een actieve, verwijderde of trial status met Inserve-licenties. Het maakt serverlicenties in Inserve aan of werkt ze bij als ze niet bestaan of als de licentieaantallen afwijken van die in Sentri.',
'source_inserve_sync_subscriptions' => 'Synchroniseer serverabonnementen',
'source_inserve_sync_subscriptions_desc' => 'Deze API-call voert eerst de actie <b>Sync cloud distributor companies</b> uit en maakt vervolgens een abonnement aan als dit nog niet bestaat, of werkt de beschrijving van het abonnement bij als het wel bestaat. Daarnaast worden abonnementsregels aangemaakt met de juiste product_code die is ingevuld in het <b>custom source data</b> JSON-veld.',
'not_allowed_to_change_due_to_group_weight' => 'U mag deze instellingen niet wijzigen omdat deze een lagere groepsgewichtwaarde hebben, wat wordt gebruikt om de hiërarchie af te dwingen en privilege-escalatie te voorkomen.'
];

View File

@@ -46,6 +46,15 @@ $stmt = $GLOBALS['pdo']->prepare($query);
$stmt->execute([$user_group_uuid]);
$group_permissions = $stmt->fetchAll(PDO::FETCH_ASSOC);
$toggleDisabled = false;
if ($user_group['user_group_weight'] < $_SESSION['user']['user_group_weight']) {
$toggleDisabled = true;
}
if (!$API->checkPermissions('admin-access-control-permissions', 'RW', true)) {
$toggleDisabled = true;
}
# Set breadcrumb data
array_push($GLOBALS['breadCrumbArray'], array('display' => __('user_groups'), 'href' => '/accesscontrol/#user-groups'));
array_push($GLOBALS['breadCrumbArray'], array('display' => $user_group['user_group_name'], 'href' => ''));
@@ -121,28 +130,35 @@ $pageNavbar->outPutNavbar();
</tr>
</tfoot>
<tbody>
<?php
<?php if ($toggleDisabled) { ?>
<div class="alert alert-warning" role="alert">
<?php echo __('not_allowed_to_change_due_to_group_weight') ?>
</div>
<?php }
foreach ($group_permissions as $group_permissions_data) { ?>
<tr>
<td><?php echo $group_permissions_data['permission_name'] ?> </td>
<td>
<label class="switch">
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="NA" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'NA') ? 'checked' : '') ?>
<?php echo ($API->checkPermissions('admin-access-control-permissions', 'RW', true)) ? '' : 'disabled' ?>>
<?php echo ($toggleDisabled) ? 'disabled' : '' ?>>
<div class="slider"></div>
</label>
</td>
<td>
<label class="switch">
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="RO" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'RO') ? 'checked' : '') ?>
<?php echo ($API->checkPermissions('admin-access-control-permissions', 'RW', true)) ? '' : 'disabled' ?>>
<?php echo ($toggleDisabled) ? 'disabled' : '' ?>>
<div class="slider"></div>
</label>
</td>
<td>
<label class="switch">
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="RW" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'RW') ? 'checked' : '') ?>
<?php echo ($API->checkPermissions('admin-access-control-permissions', 'RW', true)) ? '' : 'disabled' ?>>
<?php echo ($toggleDisabled) ? 'disabled' : '' ?>>
<div class="slider"></div>
</label>
</td>