From 93ee86fa64ddb9a9da882da3049feef3dc5d634d Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@gmail.com>
Date: Tue, 5 Mar 2024 20:18:31 +0200
Subject: [PATCH] revert security unlocked actions

---
 Controller/GrouperGroupsController.php | 16 +++++++++---
 Lib/GrouperApiAccess.php               | 35 +++++++++++++++++++-------
 webroot/js/groups.js                   |  1 -
 3 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/Controller/GrouperGroupsController.php b/Controller/GrouperGroupsController.php
index 68b8ed5..f4c65cf 100644
--- a/Controller/GrouperGroupsController.php
+++ b/Controller/GrouperGroupsController.php
@@ -105,10 +105,18 @@ public function beforeFilter()
       throw new InvalidArgumentException(_txt('er.grouperlite.glid'),
                                              HttpStatusCodesEnum::HTTP_BAD_REQUEST);
     }
-
-    if ($this->request->is('ajax')) {
-      $this->RequestHandler->addInputType('json', array('json_decode', true));
-    }
+    $this->response->disableCache();
+    $this->RequestHandler->addInputType('json', array('json_decode', true));
+
+    $this->Security->unlockedActions = [
+      'removeSubscriber',
+      'addSubscriber',
+      'joinGroup',
+      'leaveGroup',
+      'groupMember',
+      'groupOptin',
+      'groupOwner'
+    ];
 
     // Get the config
     $args = array();
diff --git a/Lib/GrouperApiAccess.php b/Lib/GrouperApiAccess.php
index 3eb5c40..6f77fa9 100644
--- a/Lib/GrouperApiAccess.php
+++ b/Lib/GrouperApiAccess.php
@@ -332,6 +332,9 @@ public function deleteGroupWithTemplate(string $actAsUserId, string $workingGrou
    */
   public function getGroupInfo(string $groupName): array
   {
+    if(empty($groupName)) {
+      return [];
+    }
     $groupInfo = [];
 
     //Build request logic
@@ -362,7 +365,7 @@ public function getGroupInfo(string $groupName): array
       $groupInfo = $results['WsGetAttributeAssignmentsResults']['wsGroups'];
     }
 
-    //Now get the Group Attributes and add them to group
+    // Now get the Group Attributes and add them to group
     $groupInfo[0]['attributes'] = $results['WsGetAttributeAssignmentsResults']['wsAttributeAssigns'] ?? [];
 
     return $groupInfo;
@@ -376,22 +379,22 @@ public function getGroupInfo(string $groupName): array
    * Note: Params added at end make sure that the groups returned can only be viewed by the member logged into
    * Grouper Lite
    *
-   * @param   string  $actorUserId
+   * @param   string  $actAsUserId
    * @param   string  $userId
    *
    * @return array Membership records that User is a member of in Grouper
    *
    * @throws GrouperLiteWidgetException
    */
-  public function getUserGroups(string $actorUserId, string $userId): array
+  public function getUserGroups(string $actAsUserId, string $userId): array
   {
-    if(empty($userId)) {
+    if(empty($userId) || empty($actAsUserId)) {
       return [];
     }
 
     $actionEndpoint = "/subjects/{$userId}/groups?"
                      . 'wsLiteObjectType=WsRestGetGroupsLiteRequest'
-                     . "&actAsSubjectId={$actorUserId}";
+                     . "&actAsSubjectId={$actAsUserId}";
     try {
       $results = $this->http->sendRequest('GET', $actionEndpoint);
     } catch (Exception $e) {
@@ -445,6 +448,13 @@ public function getUserGroups(string $actorUserId, string $userId): array
    */
   public function getUserMemberships(string $userId, string $actAsUserId, string $groupType): array
   {
+    if(empty($actAsUserId)
+      || empty($userId)
+      || empty($groupType)
+    ) {
+      return [];
+    }
+
     if(!in_array($groupType, [
       GrouperGroupTypeEnum::OPTINS,
       GrouperGroupTypeEnum::OPTOUTS,
@@ -496,11 +506,12 @@ public function getUserMemberships(string $userId, string $actAsUserId, string $
   /**
    * Get members associated to a specific Grouper Group
    *
-   * @param   string  $actorUserId
+   * @param   string  $actAsUserId
    * @param   string  $groupName
    *
    * @return array Listing of Members belonging to Grouper Group
-   * @throws GrouperLiteWidgetException|JsonException|NotFoundException
+   * @throws GrouperLiteWidgetException
+   * @throws JsonException
    * @example https://github.com/Internet2/grouper/blob/master/grouper-ws/grouper-ws/doc/samples/getGroups/WsSampleGetGroupsRest_json.txt
    *
    * $: > grouperClientAlias --debug=true --operation=getMembersWs --actAsSubjectId=john.b.doe@at.internet2.edu --subjectAttributeNames=name --groupNames=ref:incommon-collab:co:member
@@ -532,13 +543,19 @@ public function getUserMemberships(string $userId, string $actAsUserId, string $
    *    }
    * }
    */
-  public function getGroupMembers(string $actorUserId, string $groupName): array
+  public function getGroupMembers(string $actAsUserId, string $groupName): array
   {
+    if(empty($actAsUserId)
+      || empty($groupName)
+    ) {
+      return [];
+    }
+
     //Build request logic
     $usersToShow = [
       'WsRestGetMembersRequest' => [
         'actAsSubjectLookup' => [
-          'subjectId' => $actorUserId
+          'subjectId' => $actAsUserId
         ],
         'wsGroupLookups' => [
           ['groupName' => $groupName]
diff --git a/webroot/js/groups.js b/webroot/js/groups.js
index c4cf3a4..dae157a 100644
--- a/webroot/js/groups.js
+++ b/webroot/js/groups.js
@@ -42,7 +42,6 @@ export default {
             const resp = await fetch(`${apiPath}`, {
                 headers: {
                     "Accept": "application/json",
-                    // 'Content-Type': 'application/x-www-form-urlencoded',
                 },
                 method: "GET"
             });