From 41b6e46f18a1f73484b00b3735af7eb221c109d7 Mon Sep 17 00:00:00 2001
From: Wisdom Ebong <wisdom@ushahidi.com>
Date: Tue, 17 Oct 2023 14:37:36 +0100
Subject: [PATCH] fix: issues with set entity access control system

---
 src/Ushahidi/Core/Tool/Acl.php                |  2 +-
 .../Core/Tool/Authorizer/SetAuthorizer.php    | 26 ++++++++++---------
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/src/Ushahidi/Core/Tool/Acl.php b/src/Ushahidi/Core/Tool/Acl.php
index 31ac25801c..23d7038b6a 100644
--- a/src/Ushahidi/Core/Tool/Acl.php
+++ b/src/Ushahidi/Core/Tool/Acl.php
@@ -57,7 +57,7 @@ public function hasPermission(Entity $user, $permission)
     protected function customRoleHasPermission(Entity $user, $permission)
     {
         $role = $this->role_repo->getByName($user->role);
-        if (isset($role->permissions) && is_null($role->permissions) === false) {
+        if (isset($role->permissions) && is_array($role->permissions)) {
             $permissions = array_map('strtolower', $role->permissions);
 
             // Does the user have the permission?
diff --git a/src/Ushahidi/Core/Tool/Authorizer/SetAuthorizer.php b/src/Ushahidi/Core/Tool/Authorizer/SetAuthorizer.php
index 44f056fde5..9d5e30855e 100644
--- a/src/Ushahidi/Core/Tool/Authorizer/SetAuthorizer.php
+++ b/src/Ushahidi/Core/Tool/Authorizer/SetAuthorizer.php
@@ -70,32 +70,34 @@ public function isAllowed(Entity $entity, $privilege)
             return false;
         }
 
-        // First check whether there is a role with the right permissions
+        // We check if a user has the 'admin' role. If they do they're
+        // allowed access to everything (all entities and all privileges)
+        $is_admin = $this->isUserAdmin($user);
+        if ($is_admin) {
+            return true;
+        }
+
+        // We check whether there is a role with the right permissions
         if ($this->acl->hasPermission($user, Permission::MANAGE_SETS)) {
             return true;
         }
 
+        // Non-admin users are not allowed to make sets featured
+        if (!$is_admin && $entity->hasChanged('featured') && in_array($privilege, ['create', 'update'])) {
+            return false;
+        }
+
         $isUserOwner = $this->isUserOwner($entity, $user);
         // If the user is the owner of this set, they can do anything
         if ($isUserOwner) {
             return true;
         }
 
+        // TODO: We want to check if the set entity is available only to owner
         // if (!$isUserOwner && $entity->view_options['only_me'] == true) {
         //     return false;
         // }
 
-        // Then we check if a user has the 'admin' role. If they do they're
-        // allowed access to everything (all entities and all privileges)
-        if ($this->isUserAdmin($user)) {
-            return true;
-        }
-
-        // Non-admin users are not allowed to make sets featured
-        if (in_array($privilege, ['create', 'update']) and $entity->hasChanged('featured')) {
-            return false;
-        }
-
         // Check if the Set is only visible to specific roles.
         if ($this->isVisibleToUser($entity, $user) and $privilege === 'read') {
             return true;