Merge pull request #7125 from skateman/sanitize-group-switch

Do not allow the users to switch to a group that they don't belong to
ManageIQ · Jun 15, 2020 · 1db1f05 · 1db1f05
2 parents 89fd3e0 + 64bf2a7
commit 1db1f05
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
@@ -589,7 +589,7 @@ def logout
   def change_group
     # Get the user and new group and set current_group in the user record
     db_user = current_user
-    db_user.update(:current_group => MiqGroup.find_by(:id => params[:to_group]))
+    db_user.update(:current_group => db_user.miq_groups.find_by!(:id => params[:to_group]))
 
     # Rebuild the session
     session_reset