80113: Prevent anyone but site admin from accessing /access-control/epeople

2025-10-09 19:13:08 +00:00 · 2021-06-16 16:49:57 +02:00
parent 3fc44f6fc1
commit cf515fe6f0
3 changed files with 19 additions and 7 deletions
--- a/src/app/+admin/admin-sidebar/admin-sidebar.component.ts
+++ b/src/app/+admin/admin-sidebar/admin-sidebar.component.ts
@@ -531,14 +531,17 @@ export class AdminSidebarComponent extends MenuComponent implements OnInit {
   * Create menu sections dependent on whether or not the current user can manage access control groups
   */
  createAccessControlMenuSections() {
-    this.authorizationService.isAuthorized(FeatureID.CanManageGroups).subscribe((authorized) => {
+    observableCombineLatest(
+      this.authorizationService.isAuthorized(FeatureID.AdministratorOf),
+      this.authorizationService.isAuthorized(FeatureID.CanManageGroups)
+    ).subscribe(([isSiteAdmin, canManageGroups]) => {
      const menuList = [
        /* Access Control */
        {
          id: 'access_control_people',
          parentID: 'access_control',
          active: false,
-          visible: authorized,
+          visible: isSiteAdmin,
          model: {
            type: MenuItemType.LINK,
            text: 'menu.section.access_control_people',
@@ -549,7 +552,7 @@ export class AdminSidebarComponent extends MenuComponent implements OnInit {
          id: 'access_control_groups',
          parentID: 'access_control',
          active: false,
-          visible: authorized,
+          visible: canManageGroups,
          model: {
            type: MenuItemType.LINK,
            text: 'menu.section.access_control_groups',
@@ -571,7 +574,7 @@ export class AdminSidebarComponent extends MenuComponent implements OnInit {
        {
          id: 'access_control',
          active: false,
-          visible: authorized,
+          visible: canManageGroups || isSiteAdmin,
          model: {
            type: MenuItemType.TEXT,
            text: 'menu.section.access_control'
--- a/src/app/access-control/access-control-routing-paths.ts
+++ b/src/app/access-control/access-control-routing-paths.ts
@@ -3,6 +3,10 @@ import { getAccessControlModuleRoute } from '../app-routing-paths';

 export const GROUP_EDIT_PATH = 'groups';

+export function getGroupsRoute() {
+  return new URLCombiner(getAccessControlModuleRoute(), GROUP_EDIT_PATH).toString();
+}
+
 export function getGroupEditRoute(id: string) {
  return new URLCombiner(getAccessControlModuleRoute(), GROUP_EDIT_PATH, id).toString();
 }
--- a/src/app/access-control/access-control-routing.module.ts
+++ b/src/app/access-control/access-control-routing.module.ts
@@ -6,6 +6,8 @@ import { GroupsRegistryComponent } from './group-registry/groups-registry.compon
 import { GROUP_EDIT_PATH } from './access-control-routing-paths';
 import { I18nBreadcrumbResolver } from '../core/breadcrumbs/i18n-breadcrumb.resolver';
 import { GroupPageGuard } from './group-registry/group-page.guard';
+import { GroupAdministratorGuard } from '../core/data/feature-authorization/feature-authorization-guard/group-administrator.guard';
+import { SiteAdministratorGuard } from '../core/data/feature-authorization/feature-authorization-guard/site-administrator.guard';

@NgModule({
  imports: [
@@ -16,7 +18,8 @@ import { GroupPageGuard } from './group-registry/group-page.guard';
        resolve: {
          breadcrumb: I18nBreadcrumbResolver
        },
-        data: { title: 'admin.access-control.epeople.title', breadcrumbKey: 'admin.access-control.epeople' }
+        data: { title: 'admin.access-control.epeople.title', breadcrumbKey: 'admin.access-control.epeople' },
+        canActivate: [SiteAdministratorGuard]
      },
      {
        path: GROUP_EDIT_PATH,
@@ -24,7 +27,8 @@ import { GroupPageGuard } from './group-registry/group-page.guard';
        resolve: {
          breadcrumb: I18nBreadcrumbResolver
        },
-        data: { title: 'admin.access-control.groups.title', breadcrumbKey: 'admin.access-control.groups' }
+        data: { title: 'admin.access-control.groups.title', breadcrumbKey: 'admin.access-control.groups' },
+        canActivate: [GroupAdministratorGuard]
      },
      {
        path: `${GROUP_EDIT_PATH}/newGroup`,
@@ -32,7 +36,8 @@ import { GroupPageGuard } from './group-registry/group-page.guard';
        resolve: {
          breadcrumb: I18nBreadcrumbResolver
        },
-        data: { title: 'admin.access-control.groups.title.addGroup', breadcrumbKey: 'admin.access-control.groups.addGroup' }
+        data: { title: 'admin.access-control.groups.title.addGroup', breadcrumbKey: 'admin.access-control.groups.addGroup' },
+        canActivate: [GroupAdministratorGuard]
      },
      {
        path: `${GROUP_EDIT_PATH}/:groupId`,