From 340413ff38b404d7b1a40fe96213af7cce1a43b2 Mon Sep 17 00:00:00 2001 From: Craig Williams Date: Tue, 8 Mar 2022 15:16:54 +0000 Subject: [PATCH] Allow editable fields to be selected by permission --- src/Controller/OrganisationController.php | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/Controller/OrganisationController.php b/src/Controller/OrganisationController.php index e308bf4..c1e087b 100644 --- a/src/Controller/OrganisationController.php +++ b/src/Controller/OrganisationController.php @@ -886,21 +886,23 @@ class OrganisationController extends SimpleController throw new NotFoundException(); } - // Access-controlled resource - check that currentUser has permission to edit basic fields "name", "slug", "description" for this organisation - $fieldNames = ['name', 'slug', 'description']; - if (!$authorizer->checkAccess($currentUser, 'update_organisation_field', [ - 'organisation' => $organisation, - 'fields' => $fieldNames, - ])) { - throw new ForbiddenException(); - } - // Generate form $fields = [ 'hidden' => [], 'disabled' => [], ]; + // Access-controlled resource - check that currentUser has permission to edit basic fields "name", "slug", "description" for this organisation + $fieldNames = ['name', 'slug', 'description']; + foreach ($fieldNames as $field) { + if (!$authorizer->checkAccess($currentUser, 'update_organisation_field', [ + 'organisation' => $organisation, + 'fields' => [$field], + ])) { + $fields['disabled'][] = $field; + } + } + if (!$currentUser->isMaster() && $currentUser->roles()->where('slug', 'organisations-admin')->count() == 0) { $fields['hidden'][] = 'slug'; } @@ -1051,7 +1053,7 @@ class OrganisationController extends SimpleController if (!$authorizer->checkAccess($currentUser, 'update_organisation_field', [ 'organisation' => $organisation, - 'fields' => ['name', 'slug', 'description', 'members'], + 'fields' => [], ])) { $editButtons['hidden'][] = 'edit'; }