revoke permission on edit actions when on actAs mode

internet2 · Apr 6, 2024 · 2a37569 · 2a37569
1 parent 30f2806
commit 2a37569
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/Controller/GrouperGroupsController.php b/Controller/GrouperGroupsController.php
@@ -519,6 +519,8 @@ public function isAuthorized(): array|bool
 
     // Determine what operations this user can perform
     // Construct the permission set for this user, which will also be passed to the view.
+
+    // XXX In ActAs mode not edit actions are allowed
     $p = [];
 
     $p['index'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
@@ -530,16 +532,16 @@ public function isAuthorized(): array|bool
     $p['groupmemberapi'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['getBaseConfig'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['groupSubscribers'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['addSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['addSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
     $p['findSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['usermanager'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['usermanagerapi'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['removeSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['removeSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
 
-    $p['groupCreate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['joinGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['leaveGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['groupcreatetemplate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['groupCreate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['joinGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['leaveGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['groupcreatetemplate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
     $p['actAsAction'] = $isActAsEligibilityGroupmember;
 
     $this->set('permissions', $p);