Tighten organisation admin permissions & password reset workflow

2023-09-07 11:53:39 +01:00
parent f3af94a285
commit dead350676
7 changed files with 200 additions and 4 deletions
--- a/src/Database/Seeds/OrganisationPermissions.php
+++ b/src/Database/Seeds/OrganisationPermissions.php
@@ -241,7 +241,7 @@ class OrganisationPermissions extends BaseSeed
            'update_user_field_organisation' => new Permission([
                'slug'        => 'update_user_field',
                'name'        => 'Edit organisation user',
-                'conditions'  => "has_matching_organisation(self.id,user.id,true) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])",
+                'conditions'  => "has_matching_organisation(self.id,user.id,1) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])",
                'description' => 'Edit users in your own organisation who are not Site or (global) Organisation Administrators, except yourself.',
            ]),
        ];