From 1572681307049f7604211f920632b8581234c664 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Thu, 28 Nov 2024 21:28:24 +0100
Subject: [PATCH] fix: [authkeys] better permission / listing handling

- allow group admins to manage api keys of their group
- when adding an authkey from the user view, don't list every user in the dropdown, focus on the selected user
---
 src/Controller/AuthKeysController.php      | 46 +++++++++-------------
 src/Controller/Component/CRUDComponent.php |  4 ++
 src/Model/Table/AuthKeysTable.php          | 32 +++++++++++++++
 templates/AuthKeys/index.php               |  4 +-
 4 files changed, 57 insertions(+), 29 deletions(-)

diff --git a/src/Controller/AuthKeysController.php b/src/Controller/AuthKeysController.php
index be4434b..e65827b 100644
--- a/src/Controller/AuthKeysController.php
+++ b/src/Controller/AuthKeysController.php
@@ -22,20 +22,29 @@ class AuthKeysController extends AppController
     {
         $currentUser = $this->ACL->getUser();
         $conditions = [];
+        $userId = $this->request->getQuery('Users_id');
+        if (!empty($userId)) {
+            $conditions['AND']['Users.id'] = $userId;
+        }
+
         if (empty($currentUser['role']['perm_community_admin'])) {
             $conditions['Users.organisation_id'] = $currentUser['organisation_id'];
             if (empty($currentUser['role']['perm_org_admin'])) {
                 $conditions['Users.id'] = $currentUser['id'];
             }
         }
-        $this->CRUD->index([
+        $indexOptions = [
             'filters' => $this->filterFields,
             'quickFilters' => $this->quickFilterFields,
             'contain' => $this->containFields,
             'exclude_fields' => ['authkey'],
             'conditions' => $conditions,
             'hidden' => []
-        ]);
+        ];
+        if (!empty($userId)) {
+            $indexOptions['action_query_strings'] = ['Users.id' => $userId];
+        }
+        $this->CRUD->index($indexOptions);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
             return $responsePayload;
@@ -46,13 +55,7 @@ class AuthKeysController extends AppController
     public function delete($id)
     {
         $currentUser = $this->ACL->getUser();
-        $conditions = [];
-        if (empty($currentUser['role']['perm_community_admin'])) {
-            $conditions['Users.organisation_id'] = $currentUser['organisation_id'];
-            if (empty($currentUser['role']['perm_org_admin'])) {
-                $conditions['Users.id'] = $currentUser['id'];
-            }
-        }
+        $conditions = $this->AuthKeys->buildUserConditions($currentUser);
         $this->CRUD->delete($id, ['conditions' => $conditions, 'contain' => 'Users']);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
@@ -67,27 +70,16 @@ class AuthKeysController extends AppController
         $validUsers = [];
         $userConditions = [];
         $currentUser = $this->ACL->getUser();
-        if (empty($currentUser['role']['perm_community_admin'])) {
-            if (empty($currentUser['role']['perm_org_admin'])) {
-                $userConditions['id'] = $currentUser['id'];
-            } else {
-                $role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0, 'perm_community_admin' => 0, 'perm_org_admin' => 0])->all()->extract('id')->toList();
-                $userConditions['organisation_id'] = $currentUser['organisation_id'];
-                $subConditions = [
-                    ['id' => $currentUser['id']]
-                ];
-                if (!empty($role_ids)) {
-                    $subConditions[] = ['role_id IN' => $role_ids];
-                }
-                $userConditions['OR'] = $subConditions;
-            }
-        }
+        $conditions = $this->AuthKeys->buildUserConditions($currentUser);
+        $userId = $this->request->getQuery('Users_id');
         $users = $this->Users->find('list');
-        if (!empty($userConditions)) {
-            $users->where($userConditions);
+        if (!empty($conditions)) {
+            $users->where($conditions);
+        }
+        if (!empty($userId)) {
+            $users->where(['Users.id' => $userId]);
         }
         $users = $users->order(['username' => 'asc'])->all()->toArray();
-
         $this->CRUD->add([
             'displayOnSuccess' => 'authkey_display',
             'beforeSave' => function($data) use ($users) {
diff --git a/src/Controller/Component/CRUDComponent.php b/src/Controller/Component/CRUDComponent.php
index ed374fe..558b439 100644
--- a/src/Controller/Component/CRUDComponent.php
+++ b/src/Controller/Component/CRUDComponent.php
@@ -272,6 +272,10 @@ class CRUDComponent extends Component
             $this->Controller->set('model', $this->Table);
             $this->Controller->set('data', $data);
             $this->Controller->set('embedInModal', $embedInModal);
+            if (!empty($options['action_query_strings'])) {
+                $this->Controller->set('action_query_strings', $options['action_query_strings']);
+
+            }
             $this->Controller->set('skipTableToolbar', $skipTableToolbar);
         }
     }
diff --git a/src/Model/Table/AuthKeysTable.php b/src/Model/Table/AuthKeysTable.php
index b7968b0..c2cf1c9 100644
--- a/src/Model/Table/AuthKeysTable.php
+++ b/src/Model/Table/AuthKeysTable.php
@@ -93,4 +93,36 @@ class AuthKeysTable extends AppTable
         }
         return [];
     }
+
+    public function buildUserConditions($currentUser)
+    {
+        $conditions = [];
+        $validOrgs = $this->Users->getValidOrgsForUser($currentUser);
+        if (empty($currentUser['role']['perm_community_admin'])) {
+            $conditions['Users.organisation_id IN'] = $validOrgs;
+            if (empty($currentUser['role']['perm_group_admin'])) {
+                if (empty($currentUser['role']['perm_org_admin'])) {
+                    $conditions['Users.id'] = $currentUser['id'];
+                } else {
+                    $role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0, 'perm_community_admin' => 0, 'perm_org_admin' => 0, 'perm_group_admin' => 0])->all()->extract('id')->toList();
+                    $conditions['Users.organisation_id'] = $currentUser['organisation_id'];
+                    $subConditions = [
+                        ['Users.id' => $currentUser['id']]
+                    ];
+                    if (!empty($role_ids)) {
+                        $subConditions[] = ['Users.role_id IN' => $role_ids];
+                    }
+                    $conditions['OR'] = $subConditions;
+                }
+            } else {
+                $conditions['Users.group_id'] = $currentUser['group_id'];
+                $role_ids = $this->Users->Roles->find()->where(['perm_admin' => 0, 'perm_community_admin' => 0, 'perm_group_admin' => 0])->all()->extract('id')->toList();
+                $conditions['OR'] = [
+                    ['Users.id' => $currentUser['id']],
+                    ['Users.role_id IN' => $role_ids]
+                ];
+            }
+        }
+        return $conditions;
+    }
 }
diff --git a/templates/AuthKeys/index.php b/templates/AuthKeys/index.php
index 1b5599a..d240def 100644
--- a/templates/AuthKeys/index.php
+++ b/templates/AuthKeys/index.php
@@ -10,8 +10,8 @@ echo $this->element('genericElements/IndexTable/index_table', [
                         'data' => [
                             'type' => 'simple',
                             'text' => __('Add authentication key'),
-                            'popover_url' => '/authKeys/add',
-                            'reload_url' => $this->request->getRequestTarget()
+                            'popover_url' => '/authKeys/add' . ($action_query_strings ? '?' . http_build_query($action_query_strings) : ''),
+                            'reload_url' => $this->request->getRequestTarget(),
                         ]
                     ]
                 ],