Replaced "can_admin_via_orgs" auth check & added an explicit flag to the members check

2023-06-06 15:52:54 +01:00
parent 85175f2ead
commit de85fd6e47
1 changed files with 28 additions and 14 deletions
--- a/src/ServicesProvider/ServicesProvider.php
+++ b/src/ServicesProvider/ServicesProvider.php
@@ -71,12 +71,17 @@ class ServicesProvider
             * @param  int  $organisation_id the id of the target organisation.
             * @return bool true if $user is a member of $organisation.
             */
-            $new_authorizer->addCallback('is_organisation_member', function ($user_id, $organisation_id) {
-                return Capsule::table('organisation_members')
+            $new_authorizer->addCallback('is_organisation_member', function ($user_id, $organisation_id, $explicit = false) {
+                $query = Capsule::table('organisation_members')
                    ->where('user_id', $user_id)
                    ->where('organisation_id', $organisation_id)
-                    ->where('flag_approved', true)
-                    ->count() > 0;
+                    ->where('flag_approved', true);
+
+                if ($explicit) {
+                    $query = $query->where('flag_admin', false);
+                }
+
+                return $query->count() > 0;
            });

            /*
@@ -95,19 +100,28 @@ class ServicesProvider
            });

            /*
-             * Check if $admin_id can modify $user_id via any of their joint organisations
+             * Check if $user_A_id is in an organisation that $user_B_id is also in
             *
-             * @param  int  $admin_id      the id of the admin user (normally currentUser->id).
-             * @param  int  $user_id       the id of the target user.
-             * @return bool true if $admin_id is an administrator of an organisation with $user_id in.
+             * @param  int  $user_A_id        the id of the first user (normally currentUser->id).
+             * @param  int  $user_B_id        the id of the second user.
+             * @param  bool  $check_is_admin  also check if A can administrate B.
+             * @return bool true if $user_A_id in an organisation with $user_B_id in.
             */
-            $new_authorizer->addCallback('can_admin_via_orgs', function ($admin_id, $user_id) {
-                $admin = User::findInt($admin_id);
-                $user = User::findInt($user_id);
+            $new_authorizer->addCallback('has_matching_organisation', function ($user_A_id, $user_B_id, $check_is_admin = false) {
+                $user_A = User::findInt($user_A_id);
+                $user_B = User::findInt($user_B_id);

-                foreach($admin->adminForOrganisations()->get() as $org) {
-                    if ($org->members(true)->where('user_id', $user_id)->count() > 0) {
-                        return true;
+                if ($check_is_admin) {
+                    foreach($user_A->adminForOrganisations()->get() as $org) {
+                        if ($org->members(true)->where('user_id', $user_B_id)->count() > 0) {
+                            return true;
+                        }
+                    }
+                } else {
+                    foreach($user_A->organisations()->get() as $org) {
+                        if ($org->members(true)->where('user_id', $user_B_id)->count() > 0) {
+                            return true;
+                        }
                    }
                }