From 166bca79d30c6abefd803b78dd2f3f2de4abb1cf Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@gmail.com>
Date: Sat, 6 Apr 2024 18:11:40 +0300
Subject: [PATCH 1/3] User the self userId when calculating the permissions

---
 Controller/GrouperGroupsController.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Controller/GrouperGroupsController.php b/Controller/GrouperGroupsController.php
index 03d74ed..4c8a9c2 100644
--- a/Controller/GrouperGroupsController.php
+++ b/Controller/GrouperGroupsController.php
@@ -248,10 +248,15 @@ public function findSubscriber(): void
   }
 
   /**
+   * @param   bool  $self   By passes the actAsIdentifier condition
+   *
    * @return null|string
    */
-  public function getUserId(): ?string
+  public function getUserId(bool $self = false): ?string
   {
+    if($self) {
+      return $this->userId;
+    }
     // XXX We are anot acting as but we are impersonating an other user. As a result
     //     both the actor and the user need to have the same identifier
     return $this->actAsIdentifier ?? $this->userId;
@@ -508,7 +513,8 @@ public function isAuthorized(): array|bool
     $isActAsEligibilityGroupmember = false;
 
     if(!empty($eligibleGroup)) {
-      $isActAsEligibilityGroupmember = $this->GrouperGroup->isGroupMember($this->getUserId(), $eligibleGroup, $cfg);
+      $isActAsEligibilityGroupmember = $this->GrouperGroup->isGroupMember($this->getUserId(self: true),
+                                                                          $eligibleGroup, $cfg);
     }
 
     // Determine what operations this user can perform

From 30f280624a32f628147248a01cc545ebbecf63b5 Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@gmail.com>
Date: Sat, 6 Apr 2024 19:28:40 +0300
Subject: [PATCH 2/3] Disable buttons on ActAs mode

---
 View/Elements/ActAsPeopleAutocomplete.ctp |  1 -
 View/Elements/ActionSideBar.ctp           |  1 +
 webroot/css/co-grouper-base.css           | 10 ++++++++++
 webroot/js/autocomplete.js                | 10 +++++++---
 webroot/js/groups-table.js                |  8 +++++---
 webroot/js/members.js                     |  9 ++++++---
 webroot/js/nested-table.js                |  5 ++++-
 7 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/View/Elements/ActAsPeopleAutocomplete.ctp b/View/Elements/ActAsPeopleAutocomplete.ctp
index ed71650..ed73ecb 100644
--- a/View/Elements/ActAsPeopleAutocomplete.ctp
+++ b/View/Elements/ActAsPeopleAutocomplete.ctp
@@ -165,7 +165,6 @@ $suffix = Configure::read('debug') > 0 ? '?time=' . time() : '';
       <Autocomplete v-if="!loading"
                     @callback="(item) => addUser(item)"
                     :action="action"
-                    :forceDisableBtn="loading"
                     icon=""/>
     `
   });
diff --git a/View/Elements/ActionSideBar.ctp b/View/Elements/ActionSideBar.ctp
index 339bcfb..588fe63 100644
--- a/View/Elements/ActionSideBar.ctp
+++ b/View/Elements/ActionSideBar.ctp
@@ -24,6 +24,7 @@
       <?= $this->element('ActAsPeopleAutocomplete',
                          compact('vv_config',
                                  'vv_coid',
+                                 'vv_act_as_people',
                                  'vv_is_user_owner',
                                  'htmlId')
       )?>
diff --git a/webroot/css/co-grouper-base.css b/webroot/css/co-grouper-base.css
index d2e2e5b..a1aab2e 100644
--- a/webroot/css/co-grouper-base.css
+++ b/webroot/css/co-grouper-base.css
@@ -22,6 +22,16 @@
     font-size: 0.8rem;
 }
 
+button:disabled,
+input[type=button]:disabled,
+input[type=button][disabled],
+button[disabled]{
+    background:#999 !important;
+    color:#ffffff !important;
+    border: none !important;
+    cursor: not-allowed;
+}
+
 #content .material-icons.lg {
     font-size: 1.2rem;
 }
diff --git a/webroot/js/autocomplete.js b/webroot/js/autocomplete.js
index 3baf2b4..da2e95e 100644
--- a/webroot/js/autocomplete.js
+++ b/webroot/js/autocomplete.js
@@ -10,7 +10,7 @@ export default {
             type: String,
             default: 'add'
         },
-        forceDisableBtn: {
+        forceDisable: {
             type: Boolean,
             default: false
         },
@@ -23,7 +23,7 @@ export default {
             default: ''
         }
     },
-    inject: ['txt', 'api', 'all'],
+    inject: ['txt', 'api', 'other'],
     data() {
         return {
             search: '',
@@ -45,7 +45,7 @@ export default {
         enableBtnFunc() {
             // The minimum length that i start search is 3. So we only enable the button when
             // the input text value has at least three characters
-            return this.enableBtn && !this.forceDisableBtn
+            return this.enableBtn && !this.forceDisable
         },
     },
     computed: {
@@ -62,6 +62,9 @@ export default {
         this.url = `${this.api.find}?co=${this.api.co}&mode=${this.api.mode}&page=${this.page}&limit=${this.limit}`
         input.autocomplete({
             source: ( request, response ) => {
+                if(this.forceDisable) {
+                    return ["Not allowed"]
+                }
                 $(`#autocomplete-search-container-${this.action} .co-loading-mini`).show();
                 $.ajax({
                     url: this.url,
@@ -117,6 +120,7 @@ export default {
                        name="display"
                        class="form-control"
                        v-model="search"
+                       :disabled="this.forceDisable"
                        :placeholder="txt.peoplePickerPlaceHolder"/>
                 <span class="co-loading-mini"><span></span><span></span><span></span></span>
             </span>
diff --git a/webroot/js/groups-table.js b/webroot/js/groups-table.js
index 1449197..f9f9304 100644
--- a/webroot/js/groups-table.js
+++ b/webroot/js/groups-table.js
@@ -11,6 +11,7 @@ export default {
             return status === 'T' ? 'Enabled' : 'Disabled'
         }
     },
+    inject: ['txt', 'api', 'other'],
     created() {},
     template: /*html*/`
         <table class="table w-100 mb-0" v-if="groups.length > 0">
@@ -38,7 +39,7 @@ export default {
                                     v-if="$attrs.onJoinGroup"
                                     @click="$emit('joinGroup', group)"
                                     class="btn btn-sm btn-block text-nowrap m-1 btn-success" type="button"
-                                    :disabled="group.loading">
+                                    :disabled="group.loading || this.other.hasActAs">
                                     {{ txt.join }}
                                     &nbsp;
                                     <em class="material-icons mt-0 ml-1" aria-hidden="true">{{ person }}</em>
@@ -47,7 +48,7 @@ export default {
                                     v-if="$attrs.onLeaveGroup"
                                     @click="$emit('leaveGroup', group)"
                                     class="btn btn-sm btn-block text-nowrap m-1 btn-danger" type="button"
-                                    :disabled="group.loading">
+                                    :disabled="group.loading || this.other.hasActAs">
                                     {{ txt.leave }}<em class="material-icons mt-0 ml-1" aria-hidden="true">{{ person_off }}</em>
                                 </button>
                             </template>
@@ -57,6 +58,7 @@ export default {
                                 class="btn btn-grouper btn-block btn-primary btn-sm m-1 text-nowrap members-btn"
                                 @click="$emit('showSubscribers', group)"
                                 :data-id="encodeURIComponent(group.name)"
+                                :disabled="this.other.hasActAs"
                                 :data-name="group.displayExtension">{{ txt.members }}<em class="material-icons mt-0 ml-1" aria-hidden="true">group</em>
                             </button>
                             <!-- Remove from Group i manage -->
@@ -64,7 +66,7 @@ export default {
                                 v-if="$attrs.onRemoveUser"
                                 class="btn btn-sm btn-block text-nowrap m-1 btn-danger" type="button"
                                 @click="$emit('removeUser', group)"
-                                :disabled="group.loading"
+                                :disabled="group.loading || this.other.hasActAs"
                                 :data-id="encodeURIComponent(group.name)"
                                 :data-name="group.displayExtension">
                                     {{ txt.remove }}<em class="material-icons mt-0 ml-1" aria-hidden="true">{{ person_off }}</em>
diff --git a/webroot/js/members.js b/webroot/js/members.js
index cd15a2f..ac71a1c 100644
--- a/webroot/js/members.js
+++ b/webroot/js/members.js
@@ -34,7 +34,7 @@ export default {
         remove: Boolean,
         default: false
     },
-    inject: ['txt', 'api'],
+    inject: ['txt', 'api', 'other'],
     components: {
         Loader,
         Autocomplete
@@ -163,7 +163,8 @@ export default {
                         <div class="d-flex mb-4">
                             <form id="add-user-form" class="add-user-form w-100">
                                 <label class="sr-only" for="addUser">{{ txt.search }}</label>
-                                <autocomplete @callback="(item) => addSubscriber(item)" :forceDisableBtn="loading"/>
+                                <autocomplete @callback="(item) => addSubscriber(item)"
+                                             :forceDisable="loading || this.other.hasActAs"/>
                             </form>
                         </div>
                     </div>
@@ -182,7 +183,9 @@ export default {
                                         {{ subscriber.id }}
                                     </td>
                                     <td v-if="remove">
-                                        <button :disabled="disabled.indexOf(subscriber.id) > -1" @click="removeSubscriber(group, subscriber)" class="btn btn-grouper btn-block btn-primary btn-sm m-1 text-nowrap member-del-btn">
+                                        <button :disabled="disabled.indexOf(subscriber.id) > -1 || this.other.hasActAs"
+                                                @click="removeSubscriber(group, subscriber)"
+                                                class="btn btn-grouper btn-block btn-danger btn-sm m-1 text-nowrap member-del-btn">
                                             {{ txt.remove }}
                                         </button>
                                     </td>
diff --git a/webroot/js/nested-table.js b/webroot/js/nested-table.js
index eff276b..a60ff9a 100644
--- a/webroot/js/nested-table.js
+++ b/webroot/js/nested-table.js
@@ -39,7 +39,10 @@ export default {
                     <collapse :default="collapsed" v-slot="{toggle, show}">
                         <tr class="table-light collapse-wg-working-group-parent">
                             <td :colspan="columns.length - 2">
-                                <button @click="toggle" type="button" class="btn btn-link btn-text collapse-btn fw-bold m-0" role="button" :aria-expanded="show ? 'false' : 'true'">  
+                                <button @click="toggle"
+                                        type="button"
+                                        class="btn btn-link btn-text collapse-btn fw-bold m-0"
+                                        role="button" :aria-expanded="show ? 'false' : 'true'">  
                                     <span class="grpr-popover-toggle">
                                         {{ wggroup.WGShowName || "No Name" }}
                                         <em class="material-icons mt-0 ml-1 ml-1" aria-hidden="true">{{ show ? 'arrow_drop_down' : 'arrow_right' }}</em>

From 2a375698523277886f7b1d63f7262b5cb7996d83 Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@gmail.com>
Date: Sat, 6 Apr 2024 19:34:08 +0300
Subject: [PATCH 3/3] revoke permission on edit actions when on actAs mode

---
 Controller/GrouperGroupsController.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/Controller/GrouperGroupsController.php b/Controller/GrouperGroupsController.php
index 4c8a9c2..f50c289 100644
--- a/Controller/GrouperGroupsController.php
+++ b/Controller/GrouperGroupsController.php
@@ -519,6 +519,8 @@ public function isAuthorized(): array|bool
 
     // Determine what operations this user can perform
     // Construct the permission set for this user, which will also be passed to the view.
+
+    // XXX In ActAs mode not edit actions are allowed
     $p = [];
 
     $p['index'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
@@ -530,16 +532,16 @@ public function isAuthorized(): array|bool
     $p['groupmemberapi'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['getBaseConfig'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['groupSubscribers'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['addSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['addSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
     $p['findSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['usermanager'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['usermanagerapi'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['removeSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['removeSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
 
-    $p['groupCreate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['joinGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['leaveGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['groupcreatetemplate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
+    $p['groupCreate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['joinGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['leaveGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['groupcreatetemplate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
     $p['actAsAction'] = $isActAsEligibilityGroupmember;
 
     $this->set('permissions', $p);