From f4a51116f63ac9641f3df254fbf8001c771903df Mon Sep 17 00:00:00 2001 From: Melanie Thielker Date: Thu, 5 Jan 2017 14:17:00 +0000 Subject: [PATCH] Fix some permissions checks in groups The code checked the permissions of a person being added to a role rather than those of the person doing the adding. Also, limited permission role removal wasn't implemented. --- .../Addons/Groups/Service/GroupsService.cs | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/OpenSim/Addons/Groups/Service/GroupsService.cs b/OpenSim/Addons/Groups/Service/GroupsService.cs index ae0518cc8a..710b00a43e 100644 --- a/OpenSim/Addons/Groups/Service/GroupsService.cs +++ b/OpenSim/Addons/Groups/Service/GroupsService.cs @@ -496,7 +496,7 @@ namespace OpenSim.Groups if (!unlimited && limited) { // check whether person's has this role - RoleMembershipData rolemembership = m_Database.RetrieveRoleMember(GroupID, RoleID, AgentID); + RoleMembershipData rolemembership = m_Database.RetrieveRoleMember(GroupID, RoleID, RequestingAgentID); if (rolemembership == null) { m_log.DebugFormat("[Groups]: ({0}) Attempt at assigning {1} to role {2} denied because of limited permission", RequestingAgentID, AgentID, RoleID); @@ -516,13 +516,26 @@ namespace OpenSim.Groups return false; // check permissions + bool limited = HasPower(RequestingAgentID, GroupID, GroupPowers.AssignMemberLimited); bool unlimited = HasPower(RequestingAgentID, GroupID, GroupPowers.AssignMember) || IsOwner(RequestingAgentID, GroupID); - if (!unlimited) + if (!limited && !unlimited) { m_log.DebugFormat("[Groups]: ({0}) Attempt at removing {1} from role {2} denied because of lack of permission", RequestingAgentID, AgentID, RoleID); return false; } + // AssignMemberLimited means that the person can assign another person to the same roles that she has in the group + if (!unlimited && limited) + { + // check whether person's has this role + RoleMembershipData rolemembership = m_Database.RetrieveRoleMember(GroupID, RoleID, RequestingAgentID); + if (rolemembership == null) + { + m_log.DebugFormat("[Groups]: ({0}) Attempt at removing {1} from role {2} denied because of limited permission", RequestingAgentID, AgentID, RoleID); + return false; + } + } + RoleMembershipData rolemember = m_Database.RetrieveRoleMember(GroupID, RoleID, AgentID); if (rolemember == null) @@ -812,7 +825,7 @@ namespace OpenSim.Groups if (RoleID != UUID.Zero) _AddAgentToGroupRole(RequestingAgentID, AgentID, GroupID, RoleID); - // Make thit this active group + // Make this the active group PrincipalData pdata = new PrincipalData(); pdata.PrincipalID = AgentID; pdata.ActiveGroupID = GroupID;