diff --git a/src/Database/Seeds/OrganisationPermissions.php b/src/Database/Seeds/OrganisationPermissions.php index 2daa0f6..41702a0 100644 --- a/src/Database/Seeds/OrganisationPermissions.php +++ b/src/Database/Seeds/OrganisationPermissions.php @@ -50,6 +50,11 @@ class OrganisationPermissions extends BaseSeed 'organisations-admin' => Role::where('slug', 'organisations-admin')->first()->id, ]; + $canAdminOrgUsers = "(has_role(self.id,{$roleIds['organisations-admin']}) || (has_matching_organisation(self.id,user.id,1) && !has_role(user.id,{$roleIds['organisations-admin']}))"; + $canAdminOrgAdmins = "(has_role(self.id,{$roleIds['organisations-admin']}) || (has_matching_organisation(self.id,user.id,1))"; + $excludeMasters = "(!is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}))"; + $isSelf = "equals_num(self.id,user.id)"; + return [ 'create_organisation' => new Permission([ 'slug' => 'create_organisation', @@ -197,8 +202,8 @@ class OrganisationPermissions extends BaseSeed 'uri_user_in_organisation' => new Permission([ 'slug' => 'uri_user', 'name' => 'View user', - 'conditions' => "(has_role(self.id,{$roleIds['organisations-admin']}) || has_matching_organisation(self.id,user.id,1)) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id))", - 'description' => 'View the user page of any user in your group, except the master user and Site and (global) Organisation Administrators (except yourself).', + 'conditions' => "(($canAdminOrgAdmins && $excludeMasters) || $isSelf)", + 'description' => 'View the user page of any user in your orgnisation, except the master user and Site and (global) Organisation Administrators (except yourself).', ]), 'view_user_field' => new Permission([ 'slug' => 'view_user_field', @@ -209,40 +214,41 @@ class OrganisationPermissions extends BaseSeed 'update_user_field' => new Permission([ 'slug' => 'update_user_field', 'name' => 'Edit user', - 'conditions' => "!has_role(user.id,{$roleIds['site-admin']}) && subset(fields,['organisations'])", + 'conditions' => "$excludeMasters && subset(fields,['organisations'])", 'description' => 'Edit organisations for users who are not Site Administrators.', ]), 'view_user_field_group' => new Permission([ 'slug' => 'view_user_field', 'name' => 'View user', - 'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && in(property,['organisations'])", + 'conditions' => "equals_num(self.group_id,user.group_id) && $excludeMasters && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && in(property,['organisations'])", 'description' => 'View organisations of any user in your own group, except the master user and Site and Group Administrators (except yourself).', ]), 'update_user_field_group' => new Permission([ 'slug' => 'update_user_field', 'name' => 'Edit group user', - 'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && subset(fields,['organisations'])", + 'conditions' => "equals_num(self.group_id,user.group_id) && $excludeMasters && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && subset(fields,['organisations'])", 'description' => 'Edit organisations for users in your own group who are not Site or Group Administrators, except yourself.', ]), 'view_user_field_organisation_audit' => new Permission([ 'slug' => 'view_user_field', 'name' => 'View user', - 'conditions' => "has_role(self.id,{$roleIds['organisations-admin']}) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && in(property,['activities'])", + 'conditions' => "(($canAdminOrgUsers && $excludeMasters) || $isSelf) && in(property,['activities'])", 'description' => 'View certain properties of any user in your own organisation, except the master user and Site and (global) Organisation Administrators (except yourself).', ]), 'update_user_field_organisation' => new Permission([ 'slug' => 'update_user_field', 'name' => 'Edit organisation user', - 'conditions' => "(has_role(self.id,{$roleIds['organisations-admin']}) || has_matching_organisation(self.id,user.id,1)) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])", + + 'conditions' => "(($canAdminOrgUsers && $excludeMasters) || $isSelf) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])", 'description' => 'Edit users in your own organisation who are not Site or (global) Organisation Administrators, except yourself.', ]), 'view_user_field_organisation' => new Permission([ 'slug' => 'view_user_field', 'name' => 'View user', - 'conditions' => "has_matching_organisation(self.id,user.id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && in(property,['user_name','name','email','locale','roles','group','organisations'])", + 'conditions' => "(($canAdminOrgUsers && $excludeMasters) || $isSelf) && in(property,['user_name','name','email','locale','roles','group','organisations'])", 'description' => 'View certain properties of any user in your own organisation, except the master user and Site and (global) Organisation Administrators (except yourself).', ]), ];