Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions core/src/org/labkey/core/security/SecurityApiActions.java
Original file line number Diff line number Diff line change
Expand Up @@ -1100,6 +1100,12 @@ public ApiResponse execute(GroupForm form, BindException errors)
throw new UnauthorizedException("You do not have permission to modify site-wide groups.");
}

// A project group must belong to the current container
if (_group.getContainer() != null && !container.getId().equals(_group.getContainer()))
{
throw new UnauthorizedException("The specified group does not belong to this project.");
}

SecurityController.verifyUserCanModifyGroup(_group, getUser());

Map<String, String> memberErrors = new HashMap<>();
Expand Down Expand Up @@ -1213,6 +1219,11 @@ private void addOrReplaceMembers(GroupForm form, Map<String, List<UserPrincipal>

if (principal == null && member.getEmail() != null) // create the user
{
if (!getContainer().hasPermission(getUser(), AddUserPermission.class))
{
memberErrors.put(member.getEmail(), "You do not have permission to create new users.");
continue;
}
try
{
SecurityManager.NewUserStatus status = SecurityManager.addUser(new ValidEmail(member.getEmail()), getUser());
Expand Down