AVSDev/sprinkle-organisations
1
0
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity

Another attempt to fix some permissions

Browse Source
This commit is contained in:
Craig Williams
2023-09-13 09:03:59 +01:00
parent 7fab295b6f
commit b3b4c19e6d
1 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/Database/Seeds/OrganisationPermissions.php
View File

@@ -50,6 +50,11 @@ class OrganisationPermissions extends BaseSeed
'organisations-admin' => Role::where('slug', 'organisations-admin')->first()->id,
];
$canAdminOrgUsers = "(has_role(self.id,{$roleIds['organisations-admin']}) || (has_matching_organisation(self.id,user.id,1) && !has_role(user.id,{$roleIds['organisations-admin']}))";
$canAdminOrgAdmins = "(has_role(self.id,{$roleIds['organisations-admin']}) || (has_matching_organisation(self.id,user.id,1))";
$excludeMasters = "(!is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}))";
$isSelf = "equals_num(self.id,user.id)";
return [
'create_organisation' => new Permission([
'slug' => 'create_organisation',
@@ -197,8 +202,8 @@ class OrganisationPermissions extends BaseSeed
'uri_user_in_organisation' => new Permission([
'slug' => 'uri_user',
'name' => 'View user',
'conditions' => "(has_role(self.id,{$roleIds['organisations-admin']}) || has_matching_organisation(self.id,user.id,1)) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id))",
'description' => 'View the user page of any user in your group, except the master user and Site and (global) Organisation Administrators (except yourself).',
'conditions' => "(($canAdminOrgAdmins && $excludeMasters) || $isSelf)",
'description' => 'View the user page of any user in your orgnisation, except the master user and Site and (global) Organisation Administrators (except yourself).',
]),
'view_user_field' => new Permission([
'slug' => 'view_user_field',
@@ -209,40 +214,41 @@ class OrganisationPermissions extends BaseSeed
'update_user_field' => new Permission([
'slug' => 'update_user_field',
'name' => 'Edit user',
'conditions' => "!has_role(user.id,{$roleIds['site-admin']}) && subset(fields,['organisations'])",
'conditions' => "$excludeMasters && subset(fields,['organisations'])",
'description' => 'Edit organisations for users who are not Site Administrators.',
]),
'view_user_field_group' => new Permission([
'slug' => 'view_user_field',
'name' => 'View user',
'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && in(property,['organisations'])",
'conditions' => "equals_num(self.group_id,user.group_id) && $excludeMasters && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && in(property,['organisations'])",
'description' => 'View organisations of any user in your own group, except the master user and Site and Group Administrators (except yourself).',
]),
'update_user_field_group' => new Permission([
'slug' => 'update_user_field',
'name' => 'Edit group user',
'conditions' => "equals_num(self.group_id,user.group_id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && subset(fields,['organisations'])",
'conditions' => "equals_num(self.group_id,user.group_id) && $excludeMasters && (!has_role(user.id,{$roleIds['group-admin']}) || equals_num(self.id,user.id)) && subset(fields,['organisations'])",
'description' => 'Edit organisations for users in your own group who are not Site or Group Administrators, except yourself.',
]),
'view_user_field_organisation_audit' => new Permission([
'slug' => 'view_user_field',
'name' => 'View user',
'conditions' => "has_role(self.id,{$roleIds['organisations-admin']}) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && in(property,['activities'])",
'conditions' => "(($canAdminOrgUsers && $excludeMasters) || $isSelf) && in(property,['activities'])",
'description' => 'View certain properties of any user in your own organisation, except the master user and Site and (global) Organisation Administrators (except yourself).',
]),
'update_user_field_organisation' => new Permission([
'slug' => 'update_user_field',
'name' => 'Edit organisation user',
'conditions' => "(has_role(self.id,{$roleIds['organisations-admin']}) || has_matching_organisation(self.id,user.id,1)) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])",
'conditions' => "(($canAdminOrgUsers && $excludeMasters) || $isSelf) && subset(fields,['name','email','locale','flag_enabled','flag_verified','password'])",
'description' => 'Edit users in your own organisation who are not Site or (global) Organisation Administrators, except yourself.',
]),
'view_user_field_organisation' => new Permission([
'slug' => 'view_user_field',
'name' => 'View user',
'conditions' => "has_matching_organisation(self.id,user.id) && !is_master(user.id) && !has_role(user.id,{$roleIds['site-admin']}) && (!has_role(user.id,{$roleIds['organisations-admin']}) || equals_num(self.id,user.id)) && in(property,['user_name','name','email','locale','roles','group','organisations'])",
'conditions' => "(($canAdminOrgUsers && $excludeMasters) || $isSelf) && in(property,['user_name','name','email','locale','roles','group','organisations'])",
'description' => 'View certain properties of any user in your own organisation, except the master user and Site and (global) Organisation Administrators (except yourself).',
]),
];