OO-3984: restrict bulk changes too

28ef6304 · srosse · 9db8d83e · 28ef6304 · 28ef6304 · 28ef6304
Commit 28ef6304 authored 6 years ago by srosse
--- a/src/main/java/org/olat/admin/user/UserAdminController.java
+++ b/src/main/java/org/olat/admin/user/UserAdminController.java
@@ -498,7 +498,10 @@ public class UserAdminController extends BasicController implements Activateable
 	private boolean isPasswordChangesAllowed(Identity identity) {
 		if (managerRoles.isManagerOf(OrganisationRoles.administrator, editedRoles)
-				|| managerRoles.isManagerOf(OrganisationRoles.rolesmanager, editedRoles)) {
+				|| managerRoles.isManagerOf(OrganisationRoles.rolesmanager, editedRoles)
+				|| (managerRoles.isManagerOf(OrganisationRoles.usermanager, editedRoles)
+						&& !editedRoles.isAdministrator() && !editedRoles.isSystemAdmin()
+						&& !editedRoles.isRolesManager())) {
 			// show pwd form only if user has also right to create new passwords in case
 			// of a user that has no password yet
 			if(ldapLoginModule.isLDAPEnabled() && ldapLoginManager.isIdentityInLDAPSecGroup(identity)) {

--- a/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java
+++ b/src/main/java/org/olat/admin/user/bulkChange/UserBulkChangeManager.java
@@ -39,6 +39,7 @@ import org.olat.core.gui.translator.Translator;
 import org.olat.core.helpers.Settings;
 import org.olat.core.id.Identity;
 import org.olat.core.id.Preferences;
+import org.olat.core.id.Roles;
 import org.olat.core.id.User;
 import org.olat.core.id.UserConstants;
 import org.olat.core.logging.OLog;
@@ -108,7 +109,7 @@ public class UserBulkChangeManager implements InitializingBean {
 	public void changeSelectedIdentities(List<Identity> selIdentities, UserBulkChanges userBulkChanges,
 			List<String> notUpdatedIdentities, boolean isAdministrativeUser,
-			Translator trans, Identity actingIdentity) {
+			Translator trans, Identity actingIdentity, Roles actingRoles) {
 		Translator transWithFallback = userManager.getPropertyHandlerTranslator(trans);
 		String usageIdentifyer = UserBulkChangeStep00.class.getCanonicalName();
@@ -128,9 +129,17 @@ public class UserBulkChangeManager implements InitializingBean {
 			//reload identity from cache, to prevent stale object
 			identity = securityManager.loadIdentityByKey(identity.getKey());
 			User user = identity.getUser();
+			Roles roles = securityManager.getRoles(identity, true);
 			String oldEmail = user.getEmail();
 			String errorDesc = "";
 			boolean updateError = false;
+			boolean canManagedCritical = actingRoles.isManagerOf(OrganisationRoles.administrator, roles)
+					|| actingRoles.isManagerOf(OrganisationRoles.rolesmanager, roles)
+					|| (actingRoles.isManagerOf(OrganisationRoles.usermanager, roles)
+							&& !roles.isAdministrator() && !roles.isSystemAdmin()
+							&& !roles.isRolesManager());
 			// change pwd
 			if (attributeChangeMap.containsKey(CRED_IDENTIFYER)) {
 				String newPwd = attributeChangeMap.get(CRED_IDENTIFYER);
@@ -142,7 +151,12 @@ public class UserBulkChangeManager implements InitializingBean {
 				} else {
 					newPwd = null;
 				}
-				olatAuthManager.changePasswordAsAdmin(identity, newPwd);
+				if (canManagedCritical) {
+					olatAuthManager.changePasswordAsAdmin(identity, newPwd);
+				} else {
+					errorDesc = transWithFallback.translate("error.password");
+				}
 			}
 			// set language
@@ -213,7 +227,7 @@ public class UserBulkChangeManager implements InitializingBean {
 			// set status
-			if (userBulkChanges.getStatus() != null) {
+			if (canManagedCritical && userBulkChanges.getStatus() != null) {
 				Integer status = userBulkChanges.getStatus();	
 				String newStatusText = getStatusText(status);
 				Integer oldStatus = identity.getStatus();

--- a/src/main/java/org/olat/user/ui/admin/UserSearchTableController.java
+++ b/src/main/java/org/olat/user/ui/admin/UserSearchTableController.java
@@ -402,7 +402,7 @@ public class UserSearchTableController extends FormBasicController implements Ac
 		final UserBulkChanges userBulkChanges = new UserBulkChanges();
 		Step start = new UserBulkChangeStep00(ureq, identities, userBulkChanges);
 		// callback executed in case wizard is finished.
-		StepRunnerCallback finish = (ureq1, wControl1, runContext) -> {
+		StepRunnerCallback finish = (uureq, wwControl, runContext) -> {
 			// all information to do now is within the runContext saved
 			boolean hasChanges = false;
 			try {
@@ -416,9 +416,10 @@ public class UserSearchTableController extends FormBasicController implements Ac
 					if (!attributeChangeMap.isEmpty() || !roleChangeMap.isEmpty()
 							|| !ownGroups.isEmpty() || !partGroups.isEmpty()
 							|| userBulkChanges.getStatus() != null){
-						Identity addingIdentity = ureq1.getIdentity();
+						Roles actingRoles = uureq.getUserSession().getRoles();
+						Identity actingIdentity = uureq.getIdentity();
 						userBulkChangesManager.changeSelectedIdentities(identities, userBulkChanges, notUpdatedIdentities,
-							isAdministrativeUser, getTranslator(), addingIdentity);
+							isAdministrativeUser, getTranslator(), actingIdentity, actingRoles);
 						hasChanges = true;
 					}
 					runContext.put("notUpdatedIdentities", notUpdatedIdentities);