From 28ef6304ce2cc8c155955b054be373f67d5c7f11 Mon Sep 17 00:00:00 2001
From: srosse <stephane.rosse@frentix.com>
Date: Fri, 29 Mar 2019 11:06:01 +0100
Subject: [PATCH] OO-3984: restrict bulk changes too
---
.../olat/admin/user/UserAdminController.java | 5 ++++-
.../bulkChange/UserBulkChangeManager.java | 20 ++++++++++++++++---
.../ui/admin/UserSearchTableController.java | 7 ++++---
3 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/src/main/java/org/olat/admin/user/UserAdminController.java b/src/main/java/org/olat/admin/user/UserAdminController.java
index ee534083d03..ecf45ca8bb6 100644
--- a/src/main/java/org/olat/admin/user/UserAdminController.java
+++ b/src/main/java/org/olat/admin/user/UserAdminController.java
@@ -498,7 +498,10 @@ public class UserAdminController extends BasicController implements Activateable
private boolean isPasswordChangesAllowed(Identity identity) {
if (managerRoles.isManagerOf(OrganisationRoles.administrator, editedRoles)
- || managerRoles.isManagerOf(OrganisationRoles.rolesmanager, editedRoles)) {
+ || managerRoles.isManagerOf(OrganisationRoles.rolesmanager, editedRoles)
+ || (managerRoles.isManagerOf(OrganisationRoles.usermanager, editedRoles)
+ && !editedRoles.isAdministrator() && !editedRoles.isSystemAdmin()
+ && !editedRoles.isRolesManager())) {
// show pwd form only if user has also right to create new passwords in case
// of a user that has no password yet
if(ldapLoginModule.isLDAPEnabled() && ldapLoginManager.isIdentityInLDAPSecGroup(identity)) {
diff --git a/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java b/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java
index d25257760d9..dae0c304be6 100644
--- a/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java
+++ b/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java
@@ -39,6 +39,7 @@ import org.olat.core.gui.translator.Translator;
import org.olat.core.helpers.Settings;
import org.olat.core.id.Identity;
import org.olat.core.id.Preferences;
+import org.olat.core.id.Roles;
import org.olat.core.id.User;
import org.olat.core.id.UserConstants;
import org.olat.core.logging.OLog;
@@ -108,7 +109,7 @@ public class UserBulkChangeManager implements InitializingBean {
public void changeSelectedIdentities(List<Identity> selIdentities, UserBulkChanges userBulkChanges,
List<String> notUpdatedIdentities, boolean isAdministrativeUser,
- Translator trans, Identity actingIdentity) {
+ Translator trans, Identity actingIdentity, Roles actingRoles) {
Translator transWithFallback = userManager.getPropertyHandlerTranslator(trans);
String usageIdentifyer = UserBulkChangeStep00.class.getCanonicalName();
@@ -128,9 +129,17 @@ public class UserBulkChangeManager implements InitializingBean {
//reload identity from cache, to prevent stale object
identity = securityManager.loadIdentityByKey(identity.getKey());
User user = identity.getUser();
+ Roles roles = securityManager.getRoles(identity, true);
String oldEmail = user.getEmail();
String errorDesc = "";
boolean updateError = false;
+
+ boolean canManagedCritical = actingRoles.isManagerOf(OrganisationRoles.administrator, roles)
+ || actingRoles.isManagerOf(OrganisationRoles.rolesmanager, roles)
+ || (actingRoles.isManagerOf(OrganisationRoles.usermanager, roles)
+ && !roles.isAdministrator() && !roles.isSystemAdmin()
+ && !roles.isRolesManager());
+
// change pwd
if (attributeChangeMap.containsKey(CRED_IDENTIFYER)) {
String newPwd = attributeChangeMap.get(CRED_IDENTIFYER);
@@ -142,7 +151,12 @@ public class UserBulkChangeManager implements InitializingBean {
} else {
newPwd = null;
}
- olatAuthManager.changePasswordAsAdmin(identity, newPwd);
+
+ if (canManagedCritical) {
+ olatAuthManager.changePasswordAsAdmin(identity, newPwd);
+ } else {
+ errorDesc = transWithFallback.translate("error.password");
+ }
}
// set language
@@ -213,7 +227,7 @@ public class UserBulkChangeManager implements InitializingBean {
// set status
- if (userBulkChanges.getStatus() != null) {
+ if (canManagedCritical && userBulkChanges.getStatus() != null) {
Integer status = userBulkChanges.getStatus();
String newStatusText = getStatusText(status);
Integer oldStatus = identity.getStatus();
diff --git a/src/main/java/org/olat/user/ui/admin/UserSearchTableController.java b/src/main/java/org/olat/user/ui/admin/UserSearchTableController.java
index 68d4a9b0a4b..8f3e5c24fe0 100644
--- a/src/main/java/org/olat/user/ui/admin/UserSearchTableController.java
+++ b/src/main/java/org/olat/user/ui/admin/UserSearchTableController.java
@@ -402,7 +402,7 @@ public class UserSearchTableController extends FormBasicController implements Ac
final UserBulkChanges userBulkChanges = new UserBulkChanges();
Step start = new UserBulkChangeStep00(ureq, identities, userBulkChanges);
// callback executed in case wizard is finished.
- StepRunnerCallback finish = (ureq1, wControl1, runContext) -> {
+ StepRunnerCallback finish = (uureq, wwControl, runContext) -> {
// all information to do now is within the runContext saved
boolean hasChanges = false;
try {
@@ -416,9 +416,10 @@ public class UserSearchTableController extends FormBasicController implements Ac
if (!attributeChangeMap.isEmpty() || !roleChangeMap.isEmpty()
|| !ownGroups.isEmpty() || !partGroups.isEmpty()
|| userBulkChanges.getStatus() != null){
- Identity addingIdentity = ureq1.getIdentity();
+ Roles actingRoles = uureq.getUserSession().getRoles();
+ Identity actingIdentity = uureq.getIdentity();
userBulkChangesManager.changeSelectedIdentities(identities, userBulkChanges, notUpdatedIdentities,
- isAdministrativeUser, getTranslator(), addingIdentity);
+ isAdministrativeUser, getTranslator(), actingIdentity, actingRoles);
hasChanges = true;
}
runContext.put("notUpdatedIdentities", notUpdatedIdentities);
--
GitLab