From 11502d2e92a84093f788a9bfe5931626c6efdf32 Mon Sep 17 00:00:00 2001
From: Eric Espie <eric.espie@combodo.com>
Date: Mon, 27 May 2024 14:55:37 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B07478=20-=20Users=20(except=20admins)=20a?=
 =?UTF-8?q?re=20not=20allowed=20to=20manage=20their=20own=20allowed=20org?=
 =?UTF-8?q?=20list?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 core/userrights.class.inc.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php
index 023cdf1bdf..84cf814a83 100644
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -2,6 +2,7 @@
 
 use Combodo\iTop\Application\Helper\Session;
 use Combodo\iTop\Application\WebPage\WebPage;
+use Combodo\iTop\Service\Events\EventData;
 
 define('UR_ALLOWED_NO', 0);
 define('UR_ALLOWED_YES', 1);
@@ -261,11 +262,23 @@ abstract class User extends cmdbAbstractObject
 		MetaModel::Init_SetZListItems('default_search', array('login', 'contactid', 'status', 'org_id')); // Default criteria of the search banner
 	}
 
+	protected function RegisterEventListeners()
+	{
+		if ($this->IsCurrentUser() && !UserRights::IsAdministrator()) {
+			$this->RegisterCRUDListener(EVENT_DB_SET_ATTRIBUTES_FLAGS, 'SetAllowedOrgListReadOnly');
+		}
+	}
+
 	abstract public function CheckCredentials($sPassword);
 	abstract public function TrustWebServerContext();
 	abstract public function CanChangePassword();
 	abstract public function ChangePassword($sOldPassword, $sNewPassword);
 
+	protected function SetAllowedOrgListReadOnly(EventData $oEventData)
+	{
+		$this->AddAttributeFlags('allowed_org_list', OPT_ATT_READONLY);
+	}
+
 	/*
 	* Compute a name in best effort mode
 	 *