From af8f1e9e74b5c12cde5b7a44451e6232487df7a5 Mon Sep 17 00:00:00 2001
From: Sami Mokaddem <sami.mokaddem@circl.lu>
Date: Fri, 24 Feb 2023 11:17:55 +0100
Subject: [PATCH] chg: [tags:org/individual] Relaxed ACL on tagging

- Before only `site_admin` could add tags.
- Now `org_admins` can add tags for their orgs and individuals
- Regular users can self manage their own individual tag
---
 src/Controller/Component/ACLComponent.php  |  8 ++---
 src/Controller/IndividualsController.php   | 35 ++++++++++++++--------
 src/Controller/OrganisationsController.php | 27 ++++++++++++-----
 templates/Individuals/view.php             |  1 +
 templates/Organisations/view.php           |  1 +
 5 files changed, 48 insertions(+), 24 deletions(-)

diff --git a/src/Controller/Component/ACLComponent.php b/src/Controller/Component/ACLComponent.php
index 9c3dd4c..4d37067 100644
--- a/src/Controller/Component/ACLComponent.php
+++ b/src/Controller/Component/ACLComponent.php
@@ -90,8 +90,8 @@ class ACLComponent extends Component
             'edit' => ['perm_admin', 'perm_org_admin'],
             'filtering' => ['*'],
             'index' => ['*'],
-            'tag' => ['perm_tagger'],
-            'untag' => ['perm_tagger'],
+            'tag' => ['*'],
+            'untag' => ['*'],
             'view' => ['*'],
             'viewTags' => ['*']
         ],
@@ -152,8 +152,8 @@ class ACLComponent extends Component
             'edit' => ['perm_admin'],
             'filtering' => ['*'],
             'index' => ['*'],
-            'tag' => ['perm_tagger'],
-            'untag' => ['perm_tagger'],
+            'tag' => ['perm_org_admin'],
+            'untag' => ['perm_org_admin'],
             'view' => ['*'],
             'viewTags' => ['*']
         ],
diff --git a/src/Controller/IndividualsController.php b/src/Controller/IndividualsController.php
index bd3c852..236dff6 100644
--- a/src/Controller/IndividualsController.php
+++ b/src/Controller/IndividualsController.php
@@ -68,25 +68,15 @@ class IndividualsController extends AppController
         if (!empty($responsePayload)) {
             return $responsePayload;
         }
+        $this->set('canEdit', $this->canEdit($id));
     }
 
     public function edit($id)
     {
-        $currentUser = $this->ACL->getUser();
-        if (!$currentUser['role']['perm_admin']) {
-            $validIndividuals = $this->Individuals->getValidIndividualsToEdit($currentUser);
-            if (!in_array($id, $validIndividuals)) {
-                throw new MethodNotAllowedException(__('You cannot modify that individual.'));    
-            }
+        if (!$this->canEdit($id)) {
+            throw new MethodNotAllowedException(__('You cannot modify that individual.'));
         }
         $currentUser = $this->ACL->getUser();
-        $validIndividualIds = [];
-        if (!$currentUser['role']['perm_admin']) {
-            $validIndividualIds = $this->Individuals->getValidIndividualsToEdit($currentUser);
-            if (!in_array($id, $validIndividualIds)) {
-                throw new NotFoundException(__('Invalid individual.'));
-            }
-        }
         $this->CRUD->edit($id, [
             'beforeSave' => function($data) use ($currentUser) {
                 if ($currentUser['role']['perm_admin'] && isset($data['uuid'])) {
@@ -113,6 +103,9 @@ class IndividualsController extends AppController
 
     public function tag($id)
     {
+        if (!$this->canEdit($id)) {
+            throw new MethodNotAllowedException(__('You cannot tag that individual.'));
+        }
         $this->CRUD->tag($id);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
@@ -122,6 +115,9 @@ class IndividualsController extends AppController
 
     public function untag($id)
     {
+        if (!$this->canEdit($id)) {
+            throw new MethodNotAllowedException(__('You cannot untag that individual.'));
+        }
         $this->CRUD->untag($id);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
@@ -137,4 +133,17 @@ class IndividualsController extends AppController
             return $responsePayload;
         }
     }
+
+    public function canEdit($indId): bool
+    {
+        $currentUser = $this->ACL->getUser();
+        if ($currentUser['role']['perm_admin']) {
+            return true;
+        }
+        $validIndividuals = $this->Individuals->getValidIndividualsToEdit($currentUser);
+        if (in_array($indId, $validIndividuals)) {
+            return true;
+        }
+        return false;
+    }
 }
diff --git a/src/Controller/OrganisationsController.php b/src/Controller/OrganisationsController.php
index 367df4f..5de8063 100644
--- a/src/Controller/OrganisationsController.php
+++ b/src/Controller/OrganisationsController.php
@@ -101,7 +101,6 @@ class OrganisationsController extends AppController
         if (!empty($responsePayload)) {
             return $responsePayload;
         }
-        $this->set('metaGroup', 'ContactDB');
     }
 
     public function view($id)
@@ -111,16 +110,12 @@ class OrganisationsController extends AppController
         if (!empty($responsePayload)) {
             return $responsePayload;
         }
-        $this->set('metaGroup', 'ContactDB');
+        $this->set('canEdit', $this->canEdit($id));
     }
 
     public function edit($id)
     {
-        $currentUser = $this->ACL->getUser();
-        if (
-            !($currentUser['organisation']['id'] == $id && $currentUser['role']['perm_org_admin']) &&
-            !$currentUser['role']['perm_admin']
-        ) {
+        if (!$this->canEdit($id)) {
             throw new MethodNotAllowedException(__('You cannot modify that organisation.'));
         }
         $this->CRUD->edit($id);
@@ -144,6 +139,9 @@ class OrganisationsController extends AppController
 
     public function tag($id)
     {
+        if (!$this->canEdit($id)) {
+            throw new MethodNotAllowedException(__('You cannot tag that organisation.'));
+        }
         $this->CRUD->tag($id);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
@@ -153,6 +151,9 @@ class OrganisationsController extends AppController
 
     public function untag($id)
     {
+        if (!$this->canEdit($id)) {
+            throw new MethodNotAllowedException(__('You cannot untag that organisation.'));
+        }
         $this->CRUD->untag($id);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
@@ -168,4 +169,16 @@ class OrganisationsController extends AppController
             return $responsePayload;
         }
     }
+
+    public function canEdit($orgId): bool
+    {
+        $currentUser = $this->ACL->getUser();
+        if ($currentUser['role']['perm_admin']) {
+            return true;
+        }
+        if ($currentUser['role']['perm_org_admin'] && $currentUser['organisation']['id'] == $orgId) {
+            return true;
+        }
+        return false;
+    }
 }
diff --git a/templates/Individuals/view.php b/templates/Individuals/view.php
index 3eeddbc..423c7e6 100644
--- a/templates/Individuals/view.php
+++ b/templates/Individuals/view.php
@@ -31,6 +31,7 @@ echo $this->element(
             [
                 'key' => __('Tags'),
                 'type' => 'tags',
+                'editable' => $canEdit,
             ],
             [
                 'key' => __('Alignments'),
diff --git a/templates/Organisations/view.php b/templates/Organisations/view.php
index e393c6f..0d3d2cd 100644
--- a/templates/Organisations/view.php
+++ b/templates/Organisations/view.php
@@ -40,6 +40,7 @@ echo $this->element(
             [
                 'key' => __('Tags'),
                 'type' => 'tags',
+                'editable' => $canEdit,
             ],
             [
                 'key' => __('Alignments'),