From 21f2455bcba66c435bf38227d282dbc35ea14bd8 Mon Sep 17 00:00:00 2001 From: Josh Eckels Date: Mon, 13 Jul 2026 17:21:03 -0700 Subject: [PATCH] GitHub Issue 1300: BulkUpgradeGroupAction scoping changes (#7836) ## Rationale BulkUpgradeGroupAction is inconsistent with other actions for its permission checks ## Changes - Check container and for a separate permission for adding a new user --- .../org/labkey/core/security/SecurityApiActions.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/core/src/org/labkey/core/security/SecurityApiActions.java b/core/src/org/labkey/core/security/SecurityApiActions.java index 6c52e69f4f1..540fdbf2a5d 100644 --- a/core/src/org/labkey/core/security/SecurityApiActions.java +++ b/core/src/org/labkey/core/security/SecurityApiActions.java @@ -1100,6 +1100,12 @@ public ApiResponse execute(GroupForm form, BindException errors) throw new UnauthorizedException("You do not have permission to modify site-wide groups."); } + // A project group must belong to the current container + if (_group.getContainer() != null && !container.getId().equals(_group.getContainer())) + { + throw new UnauthorizedException("The specified group does not belong to this project."); + } + SecurityController.verifyUserCanModifyGroup(_group, getUser()); Map memberErrors = new HashMap<>(); @@ -1213,6 +1219,11 @@ private void addOrReplaceMembers(GroupForm form, Map if (principal == null && member.getEmail() != null) // create the user { + if (!getContainer().hasPermission(getUser(), AddUserPermission.class)) + { + memberErrors.put(member.getEmail(), "You do not have permission to create new users."); + continue; + } try { SecurityManager.NewUserStatus status = SecurityManager.addUser(new ValidEmail(member.getEmail()), getUser());