From 4b7fe84c363e7b3280a8252efeaa166885d43fbe Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Fri, 13 Mar 2026 15:47:56 -0700 Subject: [PATCH] Address folder admin assigning themselves project admin role --- .../labkey/api/security/SecurityPolicyManager.java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/api/src/org/labkey/api/security/SecurityPolicyManager.java b/api/src/org/labkey/api/security/SecurityPolicyManager.java index 173a64fbdf5..93a1baf4486 100644 --- a/api/src/org/labkey/api/security/SecurityPolicyManager.java +++ b/api/src/org/labkey/api/security/SecurityPolicyManager.java @@ -40,6 +40,7 @@ import org.labkey.api.data.TableSelector; import org.labkey.api.exceptions.OptimisticConflictException; import org.labkey.api.query.FieldKey; +import org.labkey.api.security.permissions.AddUserPermission; import org.labkey.api.security.roles.Role; import org.labkey.api.security.roles.RoleManager; import org.labkey.api.util.logging.LogHelper; @@ -179,6 +180,19 @@ public static boolean savePolicy(@NotNull MutableSecurityPolicy policy, @NotNull } } + // This is a simple 26.3 fix for GitHub Issue #909. TODO: In 26.4+, change to a first class approach for + // validating all admin attempts at assigning admin roles or impersonating admin users, groups, and roles. + // + // For now, just use AddUserPermission as a proxy for Folder Admin attemping to assign Project Admin role + if (c.isProject() && !c.hasPermission(user, AddUserPermission.class)) + { + for (Role changedRole : changedRoles) + { + if (changedRole.getPermissions().contains(AddUserPermission.class)) + throw new UnauthorizedException("You do not have permission to modify the " + changedRole.getName() + " role."); + } + } + savePolicyToDBAndValidate(policy); writeToAuditLog(c, user, resource, oldPolicy, policy);