pkp#10738 Prevent imports of users with ROLE_ID_SITE_ADMIN

kaitlinnewson · Dec 19, 2024 · 17b6634 · 17b6634
1 parent d6c92cf
commit 17b6634
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/classes/security/RoleDAO.php b/classes/security/RoleDAO.php
@@ -100,6 +100,9 @@ public function getByUserIdGroupedByContext(int $userId)
 
         $roles = [];
         foreach ($userGroups as $userGroup) {
+            // The site admin role MUST only be present for context ID 0.
+            if ($userGroup->getContextId() != 0 && $userGroup->getRoleId() == Role::ROLE_ID_SITE_ADMIN) continue;
+
             $role = $roleDao->newDataObject();
             $role->setRoleId($userGroup->getRoleId());
             $roles[$userGroup->getContextId()][$userGroup->getRoleId()] = $role;

diff --git a/plugins/importexport/users/filter/NativeXmlUserGroupFilter.php b/plugins/importexport/users/filter/NativeXmlUserGroupFilter.php
@@ -20,6 +20,7 @@
 use PKP\filter\FilterGroup;
 use PKP\userGroup\relationships\UserGroupStage;
 use PKP\userGroup\UserGroup;
+use PKP\security\Role;
 
 class NativeXmlUserGroupFilter extends \PKP\plugins\importexport\native\filter\NativeImportFilter
 {
@@ -90,7 +91,7 @@ public function handleElement($node)
             for ($n = $node->firstChild; $n !== null; $n = $n->nextSibling) {
                 if ($n instanceof \DOMElement) {
                     switch ($n->tagName) {
-                        case 'role_id': $userGroup->setRoleId($n->textContent);
+                        case 'role_id': $userGroup->setRoleId((int) $n->textContent);
                             break;
                         case 'is_default': $userGroup->setDefault($n->textContent ?? false);
                             break;
@@ -108,6 +109,13 @@ public function handleElement($node)
                 }
             }
 
+            if (!in_array(
+	        $userGroup->getRoleId(),
+	        [Role::ROLE_ID_MANAGER, Role::ROLE_ID_SUB_EDITOR, Role::ROLE_ID_AUTHOR, Role::ROLE_ID_REVIEWER, Role::ROLE_ID_ASSISTANT, Role::ROLE_ID_READER, Role::ROLE_ID_SUBSCRIPTION_MANAGER]
+                )) {
+                throw new \Exception('Unacceptable role_id ' . $userGroup->getRoleId());
+            }
+
             $userGroupId = Repo::userGroup()->add($userGroup);
 
             $stageNodeList = $node->getElementsByTagNameNS($deployment->getNamespace(), 'stage_assignments');