Commit 90aebcd5 authored by Nigel McNie's avatar Nigel McNie
Browse files

Security fix: Prevent institution admins from administering site admins.

Without this fix, institution admins can login as site admins and do
other such administrative tasks (e.g. reset their password), if the site
admin joins their institution.

Reported by Ruslan Kabalin <>, who supplied a
patch. My patch skips adding an extra method to find out if a given user
is an admin, though it's not any more performant.
Signed-off-by: default avatarNigel McNie <>
parent ee9ace6f
......@@ -557,6 +557,14 @@ class User {
return $this->get('admin') || $this->is_institutional_admin($institution);
* Returns whether this user is allowed to perform administration type
* actions on another user.
* @param mixed $user The user to check we can perform actions on. Can
* either be a User object, a row from the usr table or
* an ID
public function is_admin_for_user($user) {
if ($this->get('admin')) {
return true;
......@@ -564,21 +572,29 @@ class User {
if (!$this->is_institutional_admin()) {
return false;
// Check privileges for institutional admins now
if ($user instanceof User) {
$userinstitutions = $user->get('institutions');
$userobj = $user;
else if (is_numeric($user)) {
$userinstitutions = load_user_institutions($user);
$userobj = new User;
else if (is_object($user)) {
// Should be a row from the usr table
$userinstitutions = load_user_institutions($user->id);
$userobj = new User;
else {
throw new SystemException("Invalid argument pass to is_admin_for_user method");
foreach ($userinstitutions as $i) {
if ($userobj->get('admin')) {
return false;
foreach ($userobj->get('institutions') as $i) {
if ($this->is_institutional_admin($i->institution)) {
return true;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment