From d9c3bac55cf474b00e50a76c88a1967b37bf7bd7 Mon Sep 17 00:00:00 2001
From: Ioannis Igoumenos <ioigoume@gmail.com>
Date: Thu, 15 Aug 2024 11:04:30 +0300
Subject: [PATCH] fix actAs permission confilict

---
 Controller/GrouperGroupsController.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/Controller/GrouperGroupsController.php b/Controller/GrouperGroupsController.php
index 8683bc6..8025e34 100644
--- a/Controller/GrouperGroupsController.php
+++ b/Controller/GrouperGroupsController.php
@@ -248,7 +248,7 @@ public function findSubscriber(): void
   }
 
   /**
-   * @param   bool  $self   By passes the actAsIdentifier condition
+   * @param   bool  $self   Bypasses the actAsIdentifier condition
    *
    * @return null|string
    */
@@ -521,6 +521,7 @@ public function isAuthorized(): array|bool
     // Find if the user belongs to Group
     $eligibleGroup = $cfg['CoGrouperLiteWidget']['act_as_grp_name'];
     $isActAsEligibilityGroupmember = false;
+    $isActAsEnabled = !empty($eligibleGroup) && ($this->getUserId(self: true) !== $this->getUserId());
 
     if(!empty($eligibleGroup)) {
       $isActAsEligibilityGroupmember = $this->GrouperGroup->isGroupMember($this->getUserId(self: true),
@@ -542,16 +543,16 @@ public function isAuthorized(): array|bool
     $p['groupmemberapi'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['getBaseConfig'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['groupSubscribers'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['addSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['addSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEnabled;
     $p['findSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['usermanager'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
     $p['usermanagerapi'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']);
-    $p['removeSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['removeSubscriber'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEnabled;
 
-    $p['groupCreate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
-    $p['joinGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
-    $p['leaveGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
-    $p['groupcreatetemplate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEligibilityGroupmember;
+    $p['groupCreate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEnabled;
+    $p['joinGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEnabled;
+    $p['leaveGroup'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEnabled;
+    $p['groupcreatetemplate'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['comember']) && !$isActAsEnabled;
     $p['actAsAction'] = $isActAsEligibilityGroupmember;
 
     $this->set('permissions', $p);