fix: issues with set entity access control system

ushahidi · Oct 17, 2023 · 41b6e46 · 41b6e46
1 parent 365b05a
commit 41b6e46
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 13 deletions.
diff --git a/src/Ushahidi/Core/Tool/Acl.php b/src/Ushahidi/Core/Tool/Acl.php
@@ -57,7 +57,7 @@ public function hasPermission(Entity $user, $permission)
     protected function customRoleHasPermission(Entity $user, $permission)
     {
         $role = $this->role_repo->getByName($user->role);
-        if (isset($role->permissions) && is_null($role->permissions) === false) {
+        if (isset($role->permissions) && is_array($role->permissions)) {
             $permissions = array_map('strtolower', $role->permissions);
 
             // Does the user have the permission?

diff --git a/src/Ushahidi/Core/Tool/Authorizer/SetAuthorizer.php b/src/Ushahidi/Core/Tool/Authorizer/SetAuthorizer.php
@@ -70,32 +70,34 @@ public function isAllowed(Entity $entity, $privilege)
             return false;
         }
 
-        // First check whether there is a role with the right permissions
+        // We check if a user has the 'admin' role. If they do they're
+        // allowed access to everything (all entities and all privileges)
+        $is_admin = $this->isUserAdmin($user);
+        if ($is_admin) {
+            return true;
+        }
+
+        // We check whether there is a role with the right permissions
         if ($this->acl->hasPermission($user, Permission::MANAGE_SETS)) {
             return true;
         }
 
+        // Non-admin users are not allowed to make sets featured
+        if (!$is_admin && $entity->hasChanged('featured') && in_array($privilege, ['create', 'update'])) {
+            return false;
+        }
+
         $isUserOwner = $this->isUserOwner($entity, $user);
         // If the user is the owner of this set, they can do anything
         if ($isUserOwner) {
             return true;
         }
 
+        // TODO: We want to check if the set entity is available only to owner
         // if (!$isUserOwner && $entity->view_options['only_me'] == true) {
         //     return false;
         // }
 
-        // Then we check if a user has the 'admin' role. If they do they're
-        // allowed access to everything (all entities and all privileges)
-        if ($this->isUserAdmin($user)) {
-            return true;
-        }
-
-        // Non-admin users are not allowed to make sets featured
-        if (in_array($privilege, ['create', 'update']) and $entity->hasChanged('featured')) {
-            return false;
-        }
-
         // Check if the Set is only visible to specific roles.
         if ($this->isVisibleToUser($entity, $user) and $privilege === 'read') {
             return true;