From 3ea5b7830d4c3d8dda6f67c89de7ff5da680a0d7 Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <mokaddem.sami@gmail.com>
Date: Mon, 30 Oct 2023 09:10:42 +0100
Subject: [PATCH 1/4] fix: [genericElements:alignmentField] Use correct URL for
 individual entries

---
 .../genericElements/SingleViews/Fields/alignmentField.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/element/genericElements/SingleViews/Fields/alignmentField.php b/templates/element/genericElements/SingleViews/Fields/alignmentField.php
index 48a78ab..40d3184 100644
--- a/templates/element/genericElements/SingleViews/Fields/alignmentField.php
+++ b/templates/element/genericElements/SingleViews/Fields/alignmentField.php
@@ -37,7 +37,7 @@ if ($field['scope'] === 'individuals') {
     foreach ($extracted['alignments'] as $alignment) {
         $alignmentEntryHtml = '[' .  $this->Bootstrap->node('span', ['class' => ['fw-bold']], h($alignment['type'])) . ']';
         $alignmentEntryHtml .= $this->Bootstrap->node('span', ['class' => ['ms-1']], sprintf(
-            '<a href="%s/organisations/view/%s">%s</a>',
+            '<a href="%s/individuals/view/%s">%s</a>',
             $baseurl,
             h($alignment['individual']['id']),
             h($alignment['individual']['email'])

From 1c6c7f346a312506bd200b98d1132958b7296b9e Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <mokaddem.sami@gmail.com>
Date: Mon, 30 Oct 2023 09:46:09 +0100
Subject: [PATCH 2/4] fix: [users:edit] Correctly take into consideration
 perm-org-group-admin

---
 src/Controller/UsersController.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php
index c2c8b57..a5a0565 100644
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@@ -72,7 +72,7 @@ class UsersController extends AppController
         ];
         $individual_ids = [];
         if (!$currentUser['role']['perm_admin']) {
-            if (!$currentUser['role']['perm_group_admin']) {
+            if ($currentUser['role']['perm_group_admin']) {
                 $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_group_admin' => 0])->all()->toArray();
                 $individual_ids = $this->Users->Individuals->find('aligned', ['organisation_id' => $currentUser['organisation_id']])->all()->extract('id')->toArray();
             } else {
@@ -219,12 +219,12 @@ class UsersController extends AppController
     {
         $currentUser = $this->ACL->getUser();
         $validRoles = [];
-        $individuals_params = [
-            'sort' => ['email' => 'asc']
-        ];
-        $individual_ids = [];
         if (!$currentUser['role']['perm_admin']) {
-            $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_org_admin' => 0])->all()->toArray();
+            if ($currentUser['role']['perm_group_admin']) {
+                $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_group_admin' => 0])->all()->toArray();
+            } else {
+                $validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0, 'perm_group_admin' => 0, 'perm_org_admin' => 0])->all()->toArray();
+            }
         } else {
             $validRoles = $this->Users->Roles->find('list')->order(['name' => 'asc'])->all()->toArray();
         }

From b987444da2629e85e8237bc8d2b17a8e21581bb4 Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <mokaddem.sami@gmail.com>
Date: Mon, 30 Oct 2023 09:47:57 +0100
Subject: [PATCH 3/4] fix: [users:settings] Take into consideration
 perm-org-group-admin when editing users settings

---
 src/Controller/UsersController.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php
index a5a0565..6ca72db 100644
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@@ -448,13 +448,17 @@ class UsersController extends AppController
     {
         $editingAnotherUser = false;
         $currentUser = $this->ACL->getUser();
-        if (empty($currentUser['role']['perm_admin']) || $user_id == $currentUser->id) {
+        if ((empty($currentUser['role']['perm_admin']) && empty($currentUser['role']['perm_group_admin'])) || $user_id == $currentUser->id) {
             $user = $currentUser;
         } else {
             $user = $this->Users->get($user_id, [
                 'contain' => ['Roles', 'Individuals' => 'Organisations', 'Organisations', 'UserSettings']
             ]);
             $editingAnotherUser = true;
+            if (!empty($currentUser['role']['perm_group_admin']) && !$this->ACL->canEditUser($currentUser, $user)) {
+                $user = $currentUser;
+                $editingAnotherUser = false;
+            }
         }
         $this->set('editingAnotherUser', $editingAnotherUser);
         $this->set('user', $user);

From 1a7320e363caf17af7e2a81c9f40e5cc02191746 Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <mokaddem.sami@gmail.com>
Date: Mon, 30 Oct 2023 10:45:38 +0100
Subject: [PATCH 4/4] fix: [orggroups:ui] Aligned UI with what users can
 actually do

---
 src/Controller/Component/Navigation/OrgGroups.php |  5 +++--
 src/Controller/OrgGroupsController.php            | 10 ++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/Controller/Component/Navigation/OrgGroups.php b/src/Controller/Component/Navigation/OrgGroups.php
index b23d339..549e8fb 100644
--- a/src/Controller/Component/Navigation/OrgGroups.php
+++ b/src/Controller/Component/Navigation/OrgGroups.php
@@ -8,7 +8,7 @@ class OrgGroupsNavigation extends BaseNavigation
     public function addLinks()
     {
         $controller = 'OrgGroups';
-        if (empty($this->viewVars['canEdit'])) {
+        if (empty($this->viewVars['canEditDefinition'])) {
             $this->bcf->removeLink($controller, 'view', $controller, 'edit');
             $this->bcf->removeLink($controller, 'edit', $controller, 'edit');
         }
@@ -17,9 +17,10 @@ class OrgGroupsNavigation extends BaseNavigation
     public function addActions()
     {
         $controller = 'OrgGroups';
-        if (empty($this->viewVars['canEdit'])) {
+        if (empty($this->viewVars['canEditDefinition'])) {
             $this->bcf->removeAction($controller, 'view', $controller, 'delete');
             $this->bcf->removeAction($controller, 'edit', $controller, 'delete');
+            $this->bcf->removeAction($controller, 'view', $controller, 'add');
         }
     }
 }
diff --git a/src/Controller/OrgGroupsController.php b/src/Controller/OrgGroupsController.php
index 105a69e..c775da5 100644
--- a/src/Controller/OrgGroupsController.php
+++ b/src/Controller/OrgGroupsController.php
@@ -58,6 +58,7 @@ class OrgGroupsController extends AppController
             return $responsePayload;
         }
         $this->set('canEdit', $this->canEdit($id));
+        $this->set('canEditDefinition', $this->canEditDefinition($id));
     }
 
     public function edit($id)
@@ -136,6 +137,15 @@ class OrgGroupsController extends AppController
         return false;
     }
 
+    private function canEditDefinition($groupId): bool
+    {
+        $currentUser = $this->ACL->getUser();
+        if ($currentUser['role']['perm_admin']) {
+            return true;
+        }
+        return false;
+    }
+
     // Listing should be available to all, it's purely informational
     public function listAdmins($groupId)
     {