From 8098e5b4f48492c7a1e9520916661751f5334627 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Fri, 7 Jun 2024 14:40:38 +0200
Subject: [PATCH] fix: [alignments] rules relaxed, fixes #164

- site admins can add alignments to anyone
- org admins can add alignments for their own org members
- group admins can add alignments for any of their managed orgs' members
---
 src/Model/Table/IndividualsTable.php | 34 +++++++++++++++++++---------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/src/Model/Table/IndividualsTable.php b/src/Model/Table/IndividualsTable.php
index 6e85a3b..8940618 100644
--- a/src/Model/Table/IndividualsTable.php
+++ b/src/Model/Table/IndividualsTable.php
@@ -125,17 +125,29 @@ class IndividualsTable extends AppTable
 
     public function getValidIndividualsToEdit(object $currentUser): array
     {
-        $validRoles = $this->Users->Roles->find('list')->select(['id'])->where(['perm_admin' => 0, 'perm_org_admin' => 0])->all()->toArray();
-        $validIndividualIds = $this->Users->find()->select(['individual_id'])->where(
-            [
-                'organisation_id' => $currentUser['organisation_id'],
-                'disabled' => 0,
-                'OR' => [
-                    ['role_id IN' => array_keys($validRoles)],
-                    ['id' => $currentUser['id']],
-                ]
-            ]
-        )->all()->extract('individual_id')->toArray();
+        $isSiteAdmin = $currentUser['role']['perm_admin'];
+        $isGroupAdmin = $currentUser['role']['perm_group_admin'];
+        $validRoles = $this->Users->Roles->find('list')->select(['id']);
+        if (!$isSiteAdmin) {
+            $validRoles->where(['perm_admin' => 0]);
+        }
+        $validRoles = $validRoles->all()->toArray();
+        $conditions = [
+            'disabled' => 0
+        ];
+        if (!$isSiteAdmin) {
+            $conditions['OR'] = [
+                ['role_id IN' => array_keys($validRoles)],
+                ['id' => $currentUser['id']]
+            ];
+            if ($isGroupAdmin) {
+                $OrgGroups = \Cake\ORM\TableRegistry::getTableLocator()->get('OrgGroups');
+                $conditions['organisation_id IN'] = $OrgGroups->getGroupOrgIdsForUser($currentUser);
+            } else {
+                $conditions['organisation_id'] = $currentUser['organisation_id'];
+            }
+        }
+        $validIndividualIds = $this->Users->find()->select(['individual_id'])->where($conditions)->all()->extract('individual_id')->toArray();
         return $validIndividualIds;
     }