From 2a375698523277886f7b1d63f7262b5cb7996d83 Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@gmail.com>
Date: Sat, 6 Apr 2024 19:34:08 +0300
Subject: [PATCH] revoke permission on edit actions when on actAs mode

---
 Controller/GrouperGroupsController.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/Controller/GrouperGroupsController.php b/Controller/GrouperGroupsController.php
index 4c8a9c2..f50c289 100644
--- a/Controller/GrouperGroupsController.php
+++ b/Controller/GrouperGroupsController.php
@@ -519,6 +519,8 @@ public function isAuthorized(): array|bool
 
     // Determine what operations this user can perform
     // Construct the permission set for this user, which will also be passed to the view.
+
+    // XXX In ActAs mode not edit actions are allowed
     $p = [];
 
     $p['index'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
@@ -530,16 +532,16 @@ public function isAuthorized(): array|bool
     $p['groupmemberapi'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['getBaseConfig'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['groupSubscribers'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['addSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['addSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
     $p['findSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['usermanager'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['usermanagerapi'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['removeSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['removeSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
 
-    $p['groupCreate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['joinGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['leaveGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['groupcreatetemplate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['groupCreate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['joinGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['leaveGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['groupcreatetemplate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
     $p['actAsAction'] = $isActAsEligibilityGroupmember;
 
     $this->set('permissions', $p);