diff --git a/modules/templates/RLP/helpers.py b/modules/templates/RLP/helpers.py index 9c9569452..7db2bfc17 100644 --- a/modules/templates/RLP/helpers.py +++ b/modules/templates/RLP/helpers.py @@ -105,7 +105,7 @@ def rlp_delegation_read_multiple_orgs(): otable = current.s3db.org_organisation query = (otable.pe_id.belongs(realms)) & \ (otable.deleted == False) - rows = current.db(query).select(otable.id) + rows = current.db(query).select(otable.id, limitby=(0, len(realms))) multiple_orgs = len(rows) > 1 org_ids = [row.id for row in rows] diff --git a/modules/templates/RLPPTM/config.py b/modules/templates/RLPPTM/config.py index ece67d6d5..a1eabe6a5 100644 --- a/modules/templates/RLPPTM/config.py +++ b/modules/templates/RLPPTM/config.py @@ -1141,10 +1141,21 @@ def prep(r): # Custom form if is_org_group_admin: + record = r.record + user = auth.user + if record and user: + # Only OrgGroupAdmins managing this organisation can change + # its org group membership (=organisation must be within realm): + realm = user.realms.get(auth.get_system_roles().ORG_GROUP_ADMIN) + groups_readonly = realm is not None and record.pe_id not in realm + else: + groups_readonly = False + groups = S3SQLInlineLink("group", field = "group_id", label = T("Organization Group"), multiple = False, + readonly = groups_readonly, ) types = S3SQLInlineLink("organisation_type", field = "organisation_type_id",