From f4a51116f63ac9641f3df254fbf8001c771903df Mon Sep 17 00:00:00 2001
From: Melanie Thielker
Date: Thu, 5 Jan 2017 14:17:00 +0000
Subject: Fix some permissions checks in groups

The code checked the permissions of a person being added to a role
rather than those of the person doing the adding. Also, limited
permission role removal wasn't implemented.
---
 OpenSim/Addons/Groups/Service/GroupsService.cs | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'OpenSim/Addons')

diff --git a/OpenSim/Addons/Groups/Service/GroupsService.cs b/OpenSim/Addons/Groups/Service/GroupsService.cs
index ae0518c..710b00a 100644
--- a/OpenSim/Addons/Groups/Service/GroupsService.cs
+++ b/OpenSim/Addons/Groups/Service/GroupsService.cs
@@ -496,7 +496,7 @@ namespace OpenSim.Groups
             if (!unlimited && limited)
             {
                 // check whether person's has this role
-                RoleMembershipData rolemembership = m_Database.RetrieveRoleMember(GroupID, RoleID, AgentID);
+                RoleMembershipData rolemembership = m_Database.RetrieveRoleMember(GroupID, RoleID, RequestingAgentID);
                 if (rolemembership == null)
                 {
                     m_log.DebugFormat("[Groups]: ({0}) Attempt at assigning {1} to role {2} denied because of limited permission", RequestingAgentID, AgentID, RoleID);
@@ -516,13 +516,26 @@ namespace OpenSim.Groups
                 return false;
 
             // check permissions
+            bool limited = HasPower(RequestingAgentID, GroupID, GroupPowers.AssignMemberLimited);
             bool unlimited = HasPower(RequestingAgentID, GroupID, GroupPowers.AssignMember) || IsOwner(RequestingAgentID, GroupID);
-            if (!unlimited)
+            if (!limited && !unlimited)
             {
                 m_log.DebugFormat("[Groups]: ({0}) Attempt at removing {1} from role {2} denied because of lack of permission", RequestingAgentID, AgentID, RoleID);
                 return false;
             }
 
+            // AssignMemberLimited means that the person can assign another person to the same roles that she has in the group
+            if (!unlimited && limited)
+            {
+                // check whether person's has this role
+                RoleMembershipData rolemembership = m_Database.RetrieveRoleMember(GroupID, RoleID, RequestingAgentID);
+                if (rolemembership == null)
+                {
+                    m_log.DebugFormat("[Groups]: ({0}) Attempt at removing {1} from role {2} denied because of limited permission", RequestingAgentID, AgentID, RoleID);
+                    return false;
+                }
+            }
+
             RoleMembershipData rolemember = m_Database.RetrieveRoleMember(GroupID, RoleID, AgentID);
 
             if (rolemember == null)
@@ -812,7 +825,7 @@ namespace OpenSim.Groups
             if (RoleID != UUID.Zero)
                 _AddAgentToGroupRole(RequestingAgentID, AgentID, GroupID, RoleID);
 
-            // Make thit this active group
+            // Make this the active group
             PrincipalData pdata = new PrincipalData();
             pdata.PrincipalID = AgentID;
             pdata.ActiveGroupID = GroupID;
-- 
cgit v1.1