From b233241e87b7689b5f182ac44b92e6e7090e2999 Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Wed, 15 May 2024 11:11:44 +0200
Subject: [PATCH] fix: [group admin] be able to add users for the administered
 orgs

---
 src/Controller/UsersController.php | 12 ++++++++++--
 src/Model/Table/UsersTable.php     | 12 +++++++++++-
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php
index 863af88..d86f314 100644
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@@ -117,7 +117,14 @@ class UsersController extends AppController
                     $data['role_id'] = $defaultRole['id'];
                 }
                 if (!$currentUser['role']['perm_admin']) {
-                    $data['organisation_id'] = $currentUser['organisation_id'];
+                    $validOrgs = $this->Users->getValidOrgsForUser($currentUser);
+                    if ($currentUser['role']['perm_group_admin']) {
+                        if (!empty($data['organisation_id']) && !in_array($currentUser['organisation_id'], $validOrgs)) {
+                            throw new MethodNotAllowedException(__('You do not have permission to assign that organisation.'));
+                        }
+                    } else {
+                        $data['organisation_id'] = $currentUser['organisation_id'];
+                    }
                     if (!in_array($data['role_id'], array_keys($validRoles))) {
                         throw new MethodNotAllowedException(__('You do not have permission to assign that role.'));
                     }
@@ -171,7 +178,8 @@ class UsersController extends AppController
         */
         $org_conditions = [];
         if (empty($currentUser['role']['perm_admin'])) {
-            $org_conditions = ['id' => $currentUser['organisation_id']];
+            $validOrgs = $this->Users->getValidOrgsForUser($currentUser);
+            $org_conditions = ['id IN' => $validOrgs];
         }
         $dropdownData = [
             'role' => $validRoles,
diff --git a/src/Model/Table/UsersTable.php b/src/Model/Table/UsersTable.php
index 4cb2dde..f82d54d 100644
--- a/src/Model/Table/UsersTable.php
+++ b/src/Model/Table/UsersTable.php
@@ -293,8 +293,18 @@ class UsersTable extends AppTable
         return true;
     }
 
-    public function getAllOrganisations($currentUser) {
+    public function getAllOrganisations(\App\Model\Entity\User $currentUser)
+    {
         $this->Individuals = TableRegistry::get('Individuals');
         return $this->Individuals->getAllOrganisations($currentUser);
     }
+
+    public function getValidOrgsForUser(\App\Model\Entity\User $user): array
+    {
+        if (!empty($user['role']['perm_group_admin'])) {
+            return $this->Organisations->OrgGroups->getGroupOrgIdsForUser($user);
+        } else {
+            return [$user['organisation_id']];
+        }
+    }
 }