Fix self permissions for MVEA view action (#304)

COmanage · Feb 26, 2025 · e7507b7 · e7507b7
1 parent 9676d35
commit e7507b7
Show file tree

Hide file tree

Showing 11 changed files with 36 additions and 13 deletions.
diff --git a/app/src/Controller/Component/RegistryAuthComponent.php b/app/src/Controller/Component/RegistryAuthComponent.php
@@ -338,7 +338,7 @@ protected function calculatePermissions(?int $id=null): array {
     $coMember = $this->isCoMember($controller->getCOID());
 
     // Is this me?
-    $selfMember = $this->isSelf($controller->getCOID());
+    $selfMember = $this->isSelf($controller->getCOID(), $id);
 
     // Get the action
     $reqAction = $controller->getRequest()->getParam('action');
@@ -932,10 +932,11 @@ public function isPlatformAdmin(): bool {
    * Determine if the current user is acting as themselves within the specified CO.
    *
    * @param int|null $coId CO ID
+   * @param int|null $id   ID
    * @return bool          True if the current user is acting as themselves
    * @since  COmanage Registry v5.1.0
    */
-  public function isSelf(?int $coId): bool {
+  public function isSelf(?int $coId, ?int $id): bool {
     // We might get called in some contexts without a coId, in which case there
     // are no members.
 
@@ -954,10 +955,20 @@ public function isSelf(?int $coId): bool {
     $controller = $this->getController();
     $request = $controller->getRequest();
     $controllerName = $controller->getName();
+    // View self or filter by the person_id
     $passId = $request->getParam('pass.0');
     $queryPersonIdParam = $request->getQuery('person_id');
     $personId = $this->getPersonID($coId);
 
+    // Associated Models, e.g. MVEAs
+    $modelTable = TableRegistry::getTableLocator()->get($controllerName);
+    $primaryLinks = $modelTable->getPrimaryLinks();
+    if (in_array('person_id', $primaryLinks) && $id !== null) {
+      $modelEntity = $modelTable->get($id);
+      $this->cache['isSelf'][$coId] = $personId == $modelEntity->person_id;
+      return $this->cache['isSelf'][$coId];
+    }
+
 
     $this->cache['isSelf'][$coId] = match(true) {
       // Canvas page

diff --git a/app/src/Model/Table/AdHocAttributesTable.php b/app/src/Model/Table/AdHocAttributesTable.php
@@ -86,14 +86,14 @@ public function initialize(array $config): void {
         'delete' =>   ['platformAdmin', 'coAdmin'],
         'edit' =>     ['platformAdmin', 'coAdmin'],
         'unfreeze' => ['platformAdmin', 'coAdmin'],
-        'view' =>     ['platformAdmin', 'coAdmin']
+        'view' =>     ['platformAdmin', 'coAdmin', 'selfMember']
       ],
       // Actions that are permitted on readonly entities (besides view)
       'readOnly' =>   ['unfreeze'],
       // Actions that operate over a table (ie: do not require an $id)
       'table' => [
         'add' =>      ['platformAdmin', 'coAdmin'],
-        'index' =>    ['platformAdmin', 'coAdmin'],
+        'index' =>    ['platformAdmin', 'coAdmin', 'selfMember'],
         'deleted' =>  ['platformAdmin', 'coAdmin']
       ]
     ]);

diff --git a/app/src/Model/Table/AddressesTable.php b/app/src/Model/Table/AddressesTable.php
@@ -124,7 +124,7 @@ public function initialize(array $config): void {
       // Actions that operate over a table (ie: do not require an $id)
       'table' => [
         'add' =>      ['platformAdmin', 'coAdmin'],
-        'index' =>    ['platformAdmin', 'coAdmin'],
+        'index' =>    ['platformAdmin', 'coAdmin', 'selfMember'],
         'deleted' =>  ['platformAdmin', 'coAdmin']
       ]
     ]);

diff --git a/app/src/Model/Table/EmailAddressesTable.php b/app/src/Model/Table/EmailAddressesTable.php
@@ -129,7 +129,7 @@ public function initialize(array $config): void {
       // Actions that operate over a table (ie: do not require an $id)
       'table' => [
         'add' =>      ['platformAdmin', 'coAdmin'],
-        'index' =>    ['platformAdmin', 'coAdmin'],
+        'index' =>    ['platformAdmin', 'coAdmin', 'selfMember'],
         'deleted' =>  ['platformAdmin', 'coAdmin']
       ]
     ]);

diff --git a/app/src/Model/Table/IdentifiersTable.php b/app/src/Model/Table/IdentifiersTable.php
@@ -136,7 +136,7 @@ public function initialize(array $config): void {
       // Actions that operate over a table (ie: do not require an $id)
       'table' => [
         'add' =>      ['platformAdmin', 'coAdmin'],
-        'index' =>    ['platformAdmin', 'coAdmin'],
+        'index' =>    ['platformAdmin', 'coAdmin', 'selfMember'],
         'deleted' =>  ['platformAdmin', 'coAdmin']
       ],
       // Related models whose permissions we'll need, typically for table views

diff --git a/app/src/Model/Table/NamesTable.php b/app/src/Model/Table/NamesTable.php
@@ -128,7 +128,7 @@ public function initialize(array $config): void {
       // Actions that operate over a table (ie: do not require an $id)
       'table' => [
         'add' =>      ['platformAdmin', 'coAdmin'],
-        'index' =>    ['platformAdmin', 'coAdmin'],
+        'index' =>    ['platformAdmin', 'coAdmin', 'selfMember'],
         'deleted' =>  ['platformAdmin', 'coAdmin']
       ]
     ]);

diff --git a/app/src/Model/Table/PeopleTable.php b/app/src/Model/Table/PeopleTable.php
@@ -170,7 +170,18 @@ public function initialize(array $config): void {
       'Urls'
     ]);
     $this->setIndexContains(['PrimaryName']);
-    $this->setViewContains(['PrimaryName']);
+    $this->setViewContains([
+      'PrimaryName',
+      'Addresses',
+      'AdHocAttributes',
+      'EmailAddresses',
+      'Identifiers',
+      'Names',
+      //'PersonRoles',
+      'Pronouns',
+      'TelephoneNumbers',
+      'Urls'
+    ]);
     $this->setPickerContains([
       'EmailAddresses',
       'Identifiers',

diff --git a/app/src/Model/Table/PronounsTable.php b/app/src/Model/Table/PronounsTable.php
@@ -114,7 +114,7 @@ public function initialize(array $config): void {
       // Actions that operate over a table (ie: do not require an $id)
       'table' => [
         'add' =>      ['platformAdmin', 'coAdmin'],
-        'index' =>    ['platformAdmin', 'coAdmin'],
+        'index' =>    ['platformAdmin', 'coAdmin', 'selfMember'],
         'deleted' =>  ['platformAdmin', 'coAdmin']
       ]
     ]);

diff --git a/app/src/Model/Table/TelephoneNumbersTable.php b/app/src/Model/Table/TelephoneNumbersTable.php
@@ -120,7 +120,7 @@ public function initialize(array $config): void {
       // Actions that operate over a table (ie: do not require an $id)
       'table' => [
         'add' =>      ['platformAdmin', 'coAdmin'],
-        'index' =>    ['platformAdmin', 'coAdmin'],
+        'index' =>    ['platformAdmin', 'coAdmin', 'selfMember'],
         'deleted' =>  ['platformAdmin', 'coAdmin']
       ]
     ]);

diff --git a/app/src/Model/Table/UrlsTable.php b/app/src/Model/Table/UrlsTable.php
@@ -113,7 +113,7 @@ public function initialize(array $config): void {
       // Actions that operate over a table (ie: do not require an $id)
       'table' => [
         'add' =>      ['platformAdmin', 'coAdmin'],
-        'index' =>    ['platformAdmin', 'coAdmin'],
+        'index' =>    ['platformAdmin', 'coAdmin', 'selfMember'],
         'deleted' =>  ['platformAdmin', 'coAdmin']
       ]
     ]);

diff --git a/app/webroot/js/comanage/components/mvea/mvea-item.js b/app/webroot/js/comanage/components/mvea/mvea-item.js
@@ -107,7 +107,8 @@ export default {
           <span v-if="this.mvea.language" class="mr-1 badge bg-light">{{ calcLangHR(this.mvea.language) }}</span>
         </div>
         <!-- row actions -->
-        <actions 
+        <!--   TODO: Should this action be open to the unpriviledged CoMember?     -->
+        <actions
           v-if="!this.mvea.primary_name"
           :actions="[
             {