Fixed Access permissions for User Update Method - Fixes #44

rydurham · rydurham · commit cb954854036b · 2013-12-04T22:01:57.000-08:00
diff --git a/app/Authority/Repo/User/SentryUser.php b/app/Authority/Repo/User/SentryUser.php
@@ -73,19 +73,24 @@ public function update($data)
 		    $user->first_name = e($data['firstName']);
 		    $user->last_name = e($data['lastName']);
 
-		    // Update group memberships
-		    $allGroups = $this->sentry->getGroupProvider()->findAll();
-		    foreach ($allGroups as $group)
+		    // Only Admins should be able to change group memberships. 
+		    $operator = $this->sentry->getUser();
+		    if ($operator->hasAccess('admin'))
 		    {
-		    	if (isset($data['groups'][$group->id])) 
-                {
-                    //The user should be added to this group
-                    $user->addGroup($group);
-                } else {
-                    // The user should be removed from this group
-                    $user->removeGroup($group);
-                }
-		    }
+			    // Update group memberships
+			    $allGroups = $this->sentry->getGroupProvider()->findAll();
+			    foreach ($allGroups as $group)
+			    {
+			    	if (isset($data['groups'][$group->id])) 
+	                {
+	                    //The user should be added to this group
+	                    $user->addGroup($group);
+	                } else {
+	                    // The user should be removed from this group
+	                    $user->removeGroup($group);
+	                }
+			    }
+			}
 
 		    // Update the user
 		    if ($user->save())
