Check perms for any groups changes on user update (#594) (#606)

When updating a User's Group's in the UserSerializer, only added groups were being checked to see if they have permission. The requesting user can only change the Users group if the changed groups are groups the requesting user is in. See AAH-148 for details. No-Issue (cherry picked from commit 616c182) Co-authored-by: Adrian Likins <[email protected]>
ansible · Dec 14, 2020 · afabf1b · afabf1b
1 parent 43c5100
commit afabf1b
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/galaxy_ng/app/api/ui/serializers/user.py b/galaxy_ng/app/api/ui/serializers/user.py
@@ -44,13 +44,20 @@ def validate_password(self, password):
     def validate_groups(self, groups):
         request_user = self.context['request'].user
 
+        group_set = set(groups)
+        instance_group_set = set()
+        if self.instance:
+            instance_group_set = set(list(self.instance.groups.all()))
+
+        group_difference = instance_group_set.symmetric_difference(group_set)
+
         if not request_user.has_perm('galaxy.change_group'):
             authed_user_groups = request_user.groups.all()
-            for g in groups:
+            for g in group_difference:
                 if not authed_user_groups.filter(pk=g.id).exists():
                     raise ValidationError(detail={
-                        "groups": "'galaxy.change_group' permission is required to add"
-                                  " users to a group that the current user is not in."
+                        "groups": "'galaxy.change_group' permission is required to change"
+                                  " a users group that the requesting user is not in."
                     })
 
         return groups