From 575aa68bca1aef8b1e0c736156409d1fe1ac8e7a Mon Sep 17 00:00:00 2001
From: Craig Williams <craig@avsdev.uk>
Date: Thu, 10 Feb 2022 18:11:42 +0000
Subject: [PATCH] Tighten some more permissions down

---
 src/Database/Seeds/OrganisationPermissions.php | 16 +++++++++++++++-
 src/Twig/OrganisationsExtension.php            |  4 ++++
 templates/tables/organisations.html.twig       | 10 ++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/src/Database/Seeds/OrganisationPermissions.php b/src/Database/Seeds/OrganisationPermissions.php
index 1ccf848..dc2c3b7 100644
--- a/src/Database/Seeds/OrganisationPermissions.php
+++ b/src/Database/Seeds/OrganisationPermissions.php
@@ -60,9 +60,21 @@ class OrganisationPermissions extends BaseSeed
             'view_organisation_field' => new Permission([
                 'slug'        => 'view_organisation_field',
                 'name'        => 'View organisation',
-                'conditions'  => "in(property,['name','slug','description','members'])",
+                'conditions'  => "in(property,['name','slug','description'])",
                 'description' => 'View certain properties of any organisation.',
             ]),
+            'view_organisation_members_field' => new Permission([
+                'slug'        => 'view_organisation_field',
+                'name'        => 'View organisation members field',
+                'conditions'  => "in(property,['members'])",
+                'description' => 'View members field of any organisation.',
+            ]),
+            'view_organisation_members' => new Permission([
+                'slug'        => 'view_organisation_members',
+                'name'        => 'View organisation members',
+                'conditions'  => "always()",
+                'description' => 'View members of any organisation.',
+            ]),
             'view_organisation_field_own' => new Permission([
                 'slug'        => 'view_organisation_field',
                 'name'        => 'View own organisation',
@@ -194,6 +206,8 @@ class OrganisationPermissions extends BaseSeed
             $roleOrgAdmin->permissions()->syncWithoutDetaching([
                 $permissions['create_organisation']->id,
                 $permissions['view_organisation_field']->id,
+                $permissions['view_organisation_members_field']->id,
+                $permissions['view_organisation_members']->id,
                 $permissions['update_organisation_field']->id,
                 $permissions['approve_organisation']->id,
                 $permissions['merge_organisations']->id,
diff --git a/src/Twig/OrganisationsExtension.php b/src/Twig/OrganisationsExtension.php
index c29c698..2f78b2c 100644
--- a/src/Twig/OrganisationsExtension.php
+++ b/src/Twig/OrganisationsExtension.php
@@ -62,6 +62,10 @@ class OrganisationsExtension extends AbstractExtension implements GlobalsInterfa
 
                 return $authorizer->runCallback($currentUser, 'is_organisation_admin', $currentUser->id, $organisation->id);
             }),
+            new TwigFunction('hasRole', function ($roleSlug) {
+                $currentUser = $this->services->currentUser;
+                return $currentUser->roles()->where('slug', $roleSlug)->count() > 0;
+            }),
         ];
     }
 
diff --git a/templates/tables/organisations.html.twig b/templates/tables/organisations.html.twig
index f4c82fb..a184852 100644
--- a/templates/tables/organisations.html.twig
+++ b/templates/tables/organisations.html.twig
@@ -14,8 +14,10 @@
                 <th class="sorter-metatext" data-column-name="name" data-column-template="#organisation-table-column-info" data-priority="1">{{translate('ORGANISATION')}} <i class="fas fa-sort"></i></th>
                 <th class="sorter-metatext" data-column-name="description" data-column-template="#organisation-table-column-description" data-priority="2">{{translate("DESCRIPTION")}} <i class="fas fa-sort"></i></th>
                 <th class="filter-select filter-metatext" data-column-name="status" data-column-template="#user-table-column-status" data-priority="2">{{translate("STATUS")}} <i class="fas fa-sort"></i></th>
+                {% if checkAccess('view_organisation_members') %}
                 <th class="sorter-metanum" data-column-name="member_count" data-column-template="#organisation-table-column-memberCount" data-priority="2">{{translate("ORGANISATION.MEMBER_COUNT")}} <i class="fas fa-sort"></i></th>
                 <th class="sorter-metanum" data-column-name="admin_count" data-column-template="#organisation-table-column-adminCount" data-priority="2">{{translate("ORGANISATION.ADMIN_COUNT")}} <i class="fas fa-sort"></i></th>
+                {% endif %}
                 <th data-column-template="#organisation-table-column-actions" data-sorter="false" data-filter="false" data-priority="1">{{translate("ACTIONS")}}</th>
             </tr>
         </thead>
@@ -35,7 +37,15 @@
     <script id="organisation-table-column-info" type="text/x-handlebars-template">
         <td data-text="{{row.name}}">
             <strong>
+            {{#ifx row.is_member '==' 1 }}
             <a href="{{site.uri.public}}/organisations/o/{{row.slug}}">{{row.name}}</a>
+            {{ else }}
+            {% endverbatim %}{% if hasRole('organisations-admin') or hasRole('site-admin') %}{% verbatim %}
+            <a href="{{site.uri.public}}/organisations/o/{{row.slug}}">{{row.name}}</a>
+            {% endverbatim %}{% else %}{% verbatim %}
+            {{row.name}}
+            {% endverbatim %}{% endif %}{% verbatim %}
+            {{/ifx }}
             </strong>
         </td>
     </script>