diff --git a/src/Controller/Component/ACLComponent.php b/src/Controller/Component/ACLComponent.php index 2f021ce..a82964e 100644 --- a/src/Controller/Component/ACLComponent.php +++ b/src/Controller/Component/ACLComponent.php @@ -175,8 +175,8 @@ class ACLComponent extends Component 'listOrgs' => ['*'], 'assignAdmin' => ['perm_admin'], 'removeAdmin' => ['perm_admin'], - 'attachOrg' => ['perm_group_admin'], - 'detachOrg' => ['perm_group_admin'] + 'attachOrg' => ['perm_admin', 'perm_group_admin'], + 'detachOrg' => ['perm_admin', 'perm_group_admin'] ], 'Organisations' => [ 'add' => ['perm_admin'], @@ -360,8 +360,8 @@ class ACLComponent extends Component return false; // org_admins cannot edit admins } if ($currentUser['role']['perm_group_admin']) { - $this->OrgGroup = TableRegistry::get('OrgGroup'); - if ($this->OrgGroup->checkIfUserBelongsToGroupAdminsGroup($currentUser, $user)) { + $this->OrgGroups = TableRegistry::get('OrgGroups'); + if ($this->OrgGroups->checkIfUserBelongsToGroupAdminsGroup($currentUser, $user)) { return true; } } diff --git a/src/Controller/Component/Navigation/OrgGroups.php b/src/Controller/Component/Navigation/OrgGroups.php new file mode 100644 index 0000000..b23d339 --- /dev/null +++ b/src/Controller/Component/Navigation/OrgGroups.php @@ -0,0 +1,25 @@ +viewVars['canEdit'])) { + $this->bcf->removeLink($controller, 'view', $controller, 'edit'); + $this->bcf->removeLink($controller, 'edit', $controller, 'edit'); + } + } + + public function addActions() + { + $controller = 'OrgGroups'; + if (empty($this->viewVars['canEdit'])) { + $this->bcf->removeAction($controller, 'view', $controller, 'delete'); + $this->bcf->removeAction($controller, 'edit', $controller, 'delete'); + } + } +} diff --git a/src/Controller/Component/Navigation/Organisations.php b/src/Controller/Component/Navigation/Organisations.php index 3df07c1..d141f7a 100644 --- a/src/Controller/Component/Navigation/Organisations.php +++ b/src/Controller/Component/Navigation/Organisations.php @@ -5,4 +5,21 @@ require_once(APP . 'Controller' . DS . 'Component' . DS . 'Navigation' . DS . 'b class OrganisationsNavigation extends BaseNavigation { + public function addLinks() + { + $controller = 'Organisations'; + if (empty($this->viewVars['canEdit'])) { + $this->bcf->removeLink($controller, 'view', $controller, 'edit'); + $this->bcf->removeLink($controller, 'edit', $controller, 'edit'); + } + } + + public function addActions() + { + $controller = 'Organisations'; + if (empty($this->viewVars['canEdit'])) { + $this->bcf->removeAction($controller, 'view', $controller, 'delete'); + $this->bcf->removeAction($controller, 'edit', $controller, 'delete'); + } + } } diff --git a/src/Controller/Component/NavigationComponent.php b/src/Controller/Component/NavigationComponent.php index 6dea2cf..d3e03f1 100644 --- a/src/Controller/Component/NavigationComponent.php +++ b/src/Controller/Component/NavigationComponent.php @@ -156,6 +156,7 @@ class NavigationComponent extends Component $CRUDControllers = [ 'Individuals', 'Organisations', + 'OrgGroups', 'EncryptionKeys', 'SharingGroups', 'Broods', diff --git a/src/Controller/IndividualsController.php b/src/Controller/IndividualsController.php index 8702891..47a9957 100644 --- a/src/Controller/IndividualsController.php +++ b/src/Controller/IndividualsController.php @@ -39,7 +39,7 @@ class IndividualsController extends AppController if (!empty($responsePayload)) { return $responsePayload; } - $editableIds = null; + $editableIds = []; if ($orgAdmin) { $editableIds = $this->Individuals->getValidIndividualsToEdit($currentUser); } diff --git a/src/Model/Table/OrgGroupsTable.php b/src/Model/Table/OrgGroupsTable.php index 13ee4c5..955eadc 100644 --- a/src/Model/Table/OrgGroupsTable.php +++ b/src/Model/Table/OrgGroupsTable.php @@ -7,6 +7,7 @@ use Cake\ORM\Table; use Cake\Validation\Validator; use Cake\Error\Debugger; use App\Model\Entity\User; +use Cake\Utility\Hash; class OrgGroupsTable extends AppTable { @@ -37,6 +38,9 @@ class OrgGroupsTable extends AppTable public function checkIfGroupAdmin(int $groupId, User $user): bool { + if (!empty($user['role']['perm_admin'])) { + return true; + } $orgGroup = $this->get($groupId, ['contain' => 'Users']); if (empty($orgGroup)) { return false; @@ -51,7 +55,38 @@ class OrgGroupsTable extends AppTable public function checkIfUserBelongsToGroupAdminsGroup(User $currentUser, User $userToCheck): bool { - $managedGroups = $this->find('list')->where(['Users.id' => $currentUser['id']])->select(['id', 'uuid'])->disableHydration()->toArray(); - return isset($managedGroups[$userToCheck['org_id']]); + $managedGroups = $this->find('all') + ->matching( + 'Users', + function ($q) use ($currentUser) { + return $q->where( + [ + 'Users.id' => $currentUser['id'] + ] + ); + } + ) + ->contain(['Organisations']) + ->toArray(); + $org_ids = Hash::extract($managedGroups, '{n}.organisations.{n}.id'); + return in_array($userToCheck['organisation_id'], $org_ids); + } + + public function getGroupOrgIdsForUser(User $user): array + { + $managedGroups = $this->find('all') + ->matching( + 'Users', + function ($q) use ($user) { + return $q->where( + [ + 'Users.id' => $user['id'] + ] + ); + } + ) + ->contain(['Organisations']) + ->toArray(); + return array_unique(Hash::extract($managedGroups, '{n}.organisations.{n}.id')); } } diff --git a/templates/OrgGroups/index.php b/templates/OrgGroups/index.php index 577e238..33569ad 100644 --- a/templates/OrgGroups/index.php +++ b/templates/OrgGroups/index.php @@ -11,7 +11,8 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'type' => 'simple', 'text' => __('Add group'), 'class' => 'btn btn-primary', - 'popover_url' => '/orgGroups/add' + 'popover_url' => '/orgGroups/add', + 'requirement' => !empty($loggedUser['role']['perm_admin']), ] ] ], diff --git a/templates/Organisations/index.php b/templates/Organisations/index.php index e9cafb1..2cf96de 100644 --- a/templates/Organisations/index.php +++ b/templates/Organisations/index.php @@ -11,7 +11,8 @@ echo $this->element('genericElements/IndexTable/index_table', [ 'type' => 'simple', 'text' => __('Add organisation'), 'class' => 'btn btn-primary', - 'popover_url' => '/organisations/add' + 'popover_url' => '/organisations/add', + 'requirement' => !empty($loggedUser['role']['perm_admin']), ] ] ],