diff --git a/dotCMS/src/main/java/com/dotcms/rest/api/v1/portlet/ToolGroupResource.java b/dotCMS/src/main/java/com/dotcms/rest/api/v1/portlet/ToolGroupResource.java index ece7ceb94695..096a5bff32a6 100644 --- a/dotCMS/src/main/java/com/dotcms/rest/api/v1/portlet/ToolGroupResource.java +++ b/dotCMS/src/main/java/com/dotcms/rest/api/v1/portlet/ToolGroupResource.java @@ -76,6 +76,11 @@ public final Response deleteToolGroupFromUser(@Context final HttpServletRequest .init() .getUser(); + if (!loggedInUser.isAdmin()) { + throw new DotSecurityException( + "User does not have permission to remove layouts from users"); + } + if (null != userid){ user = APILocator.getUserAPI().loadUserById(userid, loggedInUser, true); } @@ -116,6 +121,11 @@ public final Response addToolGroupToUser(@Context final HttpServletRequest reque .init() .getUser(); + if (!layoutId.equalsIgnoreCase("gettingstarted") && !loggedInUser.isAdmin()) { + throw new DotSecurityException( + "User does not have permission to assign layouts"); + } + if (null != userid){ user = APILocator.getUserAPI().loadUserById(userid, loggedInUser, true); } diff --git a/dotCMS/src/main/java/com/dotmarketing/business/ajax/RoleAjax.java b/dotCMS/src/main/java/com/dotmarketing/business/ajax/RoleAjax.java index 2229f4f41822..4e4160332456 100644 --- a/dotCMS/src/main/java/com/dotmarketing/business/ajax/RoleAjax.java +++ b/dotCMS/src/main/java/com/dotmarketing/business/ajax/RoleAjax.java @@ -282,7 +282,14 @@ private Map getUserMap(final User user) public void removeUsersFromRole(String[] userIds, String roleId) throws DotDataException, NoSuchUserException, DotRuntimeException, PortalException, SystemException, DotSecurityException { //Validate if this logged in user has the required permissions to access the roles portlet - validateRolesPortletPermissions(getLoggedInUser()); + final User callerForRemove = getLoggedInUser(); + validateRolesPortletPermissions(callerForRemove); + if (!callerForRemove.isAdmin()) { + SecurityLogger.logInfo(getClass(), + "Unauthorized attempt to remove role by user " + callerForRemove.getUserId()); + throw new DotSecurityException( + "User does not have permission to remove roles from users"); + } WebContext ctx = WebContextFactory.get(); RoleAPI roleAPI = APILocator.getRoleAPI(); @@ -310,7 +317,14 @@ public void removeUsersFromRole(String[] userIds, String roleId) throws DotDataE public Map addUserToRole(String userId, String roleId) throws DotDataException, DotRuntimeException, PortalException, SystemException, DotSecurityException, IllegalAccessException, InvocationTargetException, NoSuchMethodException { //Validate if this logged in user has the required permissions to access the roles portlet - validateRolesPortletPermissions(getLoggedInUser()); + final User caller = getLoggedInUser(); + validateRolesPortletPermissions(caller); + if (!caller.isAdmin()) { + SecurityLogger.logInfo(getClass(), + "Unauthorized attempt to assign role by user " + caller.getUserId()); + throw new DotSecurityException( + "User does not have permission to assign roles to users"); + } WebContext ctx = WebContextFactory.get(); RoleAPI roleAPI = APILocator.getRoleAPI();