diff --git a/core/src/org/labkey/core/security/SecurityApiActions.java b/core/src/org/labkey/core/security/SecurityApiActions.java index 6c52e69f4f1..540fdbf2a5d 100644 --- a/core/src/org/labkey/core/security/SecurityApiActions.java +++ b/core/src/org/labkey/core/security/SecurityApiActions.java @@ -1100,6 +1100,12 @@ public ApiResponse execute(GroupForm form, BindException errors) throw new UnauthorizedException("You do not have permission to modify site-wide groups."); } + // A project group must belong to the current container + if (_group.getContainer() != null && !container.getId().equals(_group.getContainer())) + { + throw new UnauthorizedException("The specified group does not belong to this project."); + } + SecurityController.verifyUserCanModifyGroup(_group, getUser()); Map memberErrors = new HashMap<>(); @@ -1213,6 +1219,11 @@ private void addOrReplaceMembers(GroupForm form, Map if (principal == null && member.getEmail() != null) // create the user { + if (!getContainer().hasPermission(getUser(), AddUserPermission.class)) + { + memberErrors.put(member.getEmail(), "You do not have permission to create new users."); + continue; + } try { SecurityManager.NewUserStatus status = SecurityManager.addUser(new ValidEmail(member.getEmail()), getUser());