From babe3d69bb5b8c812b4b9aede3cf111e9a31ca6c Mon Sep 17 00:00:00 2001 From: labkey-jeckels Date: Fri, 10 Jul 2026 15:07:00 -0700 Subject: [PATCH] GitHub Issue 1300: BulkUpgradeGroupAction scoping changes --- .../org/labkey/core/security/SecurityApiActions.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/core/src/org/labkey/core/security/SecurityApiActions.java b/core/src/org/labkey/core/security/SecurityApiActions.java index 34e2e51a29c..a90194334c5 100644 --- a/core/src/org/labkey/core/security/SecurityApiActions.java +++ b/core/src/org/labkey/core/security/SecurityApiActions.java @@ -1106,6 +1106,12 @@ public ApiResponse execute(GroupForm form, BindException errors) throw new UnauthorizedException("You do not have permission to modify site-wide groups."); } + // A project group must belong to the current container + if (_group.getContainer() != null && !container.getId().equals(_group.getContainer())) + { + throw new UnauthorizedException("The specified group does not belong to this project."); + } + SecurityController.verifyUserCanModifyGroup(_group, getUser()); Map memberErrors = new HashMap<>(); @@ -1219,6 +1225,11 @@ private void addOrReplaceMembers(GroupForm form, Map if (principal == null && member.getEmail() != null) // create the user { + if (!getContainer().hasPermission(getUser(), AddUserPermission.class)) + { + memberErrors.put(member.getEmail(), "You do not have permission to create new users."); + continue; + } try { SecurityManager.NewUserStatus status = SecurityManager.addUser(new ValidEmail(member.getEmail()), getUser());