# Workaround patch file for https://github.com/ubccr/xdmod/security/advisories/GHSA-3hfh-m242-8rmh
# For patching Open XDMoD versions <= 11.0.2
diff --git a/html/controllers/sab_user.php b/html/controllers/sab_user.php
index 5821a70760..8b6331b996 100644
--- a/html/controllers/sab_user.php
+++ b/html/controllers/sab_user.php
@@ -4,19 +4,15 @@
  *
  * operation: params -----
  *     enum_tg_users: start, limit, [query], pi_only
- *     assign_assumed_person: person_id
- *     get_mapping: use_default
  */

 require_once __DIR__ . '/../../configuration/linker.php';

 \xd_security\start_session();

-$controller = new XDController(array(STATUS_LOGGED_IN));
+$controller = new XDController(array(STATUS_LOGGED_IN, STATUS_MANAGER_ROLE));

 $controller->registerOperation('enum_tg_users');
-$controller->registerOperation('assign_assumed_person');
-$controller->registerOperation('get_mapping');

 $session_variable
     = (isset($_POST['dashboard_mode']))
diff --git a/html/controllers/sab_user/assign_assumed_person.php b/html/controllers/sab_user/assign_assumed_person.php
deleted file mode 100644
index 3a63c7a88d..0000000000
--- a/html/controllers/sab_user/assign_assumed_person.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-// Operation: sab_user->assign_assumed_person
-
-$params = array('person_id' => RESTRICTION_ASSIGNMENT);
-
-$isValid = xd_security\secureCheck($params, 'POST');
-
-if (!$isValid) {
-    $returnData = array(
-        'success' =>  false,
-        'status'  => 'invalid_id_specified',
-        'message' => 'invalid_id_specified',
-    );
-    xd_controller\returnJSON($returnData);
-};
-
-$xdw = new XDWarehouse();
-
-if ($xdw->resolveName($_POST['person_id']) == NO_MAPPING) {
-    $returnData = array(
-        'success' =>  false,
-        'status'  => 'no_person_mapping',
-        'message' => 'no_person_mapping',
-    );
-    xd_controller\returnJSON($returnData);
-}
-
-$_SESSION['assumed_person_id'] = $_POST['person_id'];
-
-$returnData = array(
-    'success' =>  true,
-    'status'  => 'success',
-    'message' => 'success',
-);
-
-xd_controller\returnJSON($returnData);
-
diff --git a/html/controllers/sab_user/get_mapping.php b/html/controllers/sab_user/get_mapping.php
deleted file mode 100644
index 27b174f7fc..0000000000
--- a/html/controllers/sab_user/get_mapping.php
+++ /dev/null
@@ -1,36 +0,0 @@
-<?php
-
-// Operation: sab_user->get_mapping
-
-$params = array(
-    'use_default' => RESTRICTION_YES_NO
-);
-
-$isValid = xd_security\secureCheck($params, 'POST');
-
-if (!$isValid) {
-    $returnData = array(
-        'success' =>  false,
-        'status'  => 'invalid_params_specified',
-        'message' => 'invalid_params_specified',
-    );
-    xd_controller\returnJSON($returnData);
-};
-
-$logged_in_user = \xd_security\getLoggedInUser();
-
-$mapped_person_id = $logged_in_user->getPersonID($_POST['use_default'] == 'y');
-
-$xdw = new XDWarehouse();
-$mapped_person_name = $xdw->resolveName($mapped_person_id);
-
-$returnData = array(
-    'success'            =>  true,
-    'status'             => 'success',
-    'message'            => 'success',
-    'mapped_person_id'   => $mapped_person_id,
-    'mapped_person_name' => $mapped_person_name,
-);
-
-xd_controller\returnJSON($returnData);
-