Merge pull request #130 from lionick/handle_pending_petitions

Dont show petition to all couadmins only to the couadmins of  the specific COU related to the petition

CHANGELOG.md

@@ -3,6 +3,13 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
+## Unreleased
+
+### Fixed
+
+- Show only petitions related to COUs that user is admin or approver to the related enrollment flow (index view)
+- COU admin can't see a petition which is not related to the COU(s) that administrates (petition view)
+
 ## [3.3.2-rciam] - 2021-10-12
 
 ### Fixed

app/Controller/CoPetitionsController.php

@@ -2124,18 +2124,21 @@ function isAuthorized() {
       $curEnrollee = $pt['CoPetition']['enrollee_co_person_id'];
       $petitionerToken = $pt['CoPetition']['petitioner_token'];
       $enrolleeToken = $pt['CoPetition']['enrollee_token'];
-
+
+      // Check if user is admin to the cou_id (if petition has cou_id)
+      $isCouAdmin = !empty($pt['CoPetition']['cou_id']) ? $this->Role->isCouAdmin($roles['copersonid'], $pt['CoPetition']['cou_id']) : false;
+
       // Select admins can also act as the petitioner
       $isPetitioner = $roles['cmadmin']
                       || $roles['coadmin']
-                      || ($roles['couadmin'] && $this->Role->isCouAdminForCoPerson($roles['copersonid'], $curPetitioner))
+                      || $isCouAdmin
                       || ($curPetitioner && ($curPetitioner == $roles['copersonid']))
                       || ($petitionerToken != '' && $petitionerToken == $this->parseToken());
 
       // Select admins can also act as the enrollee
       $isEnrollee = $roles['cmadmin']
                     || $roles['coadmin']
-                    || ($roles['couadmin'] && $this->Role->isCouAdminForCoPerson($roles['copersonid'], $curEnrollee))
+                    || $isCouAdmin
                     || ($curEnrollee && ($curEnrollee == $roles['copersonid']))
                     || ($enrolleeToken != '' && $enrolleeToken == $this->parseToken());
 
@@ -2197,7 +2200,7 @@ function isAuthorized() {
 
     // View an existing CO Petition? We allow the usual suspects to view a Petition, even
     // if they don't have permission to edit it. Also approvers need to be able to see the Petition.
-    $p['view'] = ($roles['cmadmin'] || $roles['coadmin'] || $roles['couadmin'] || $isApprover || $isPetitioner || $isEnrollee);
+    $p['view'] = ($roles['cmadmin'] || $roles['coadmin'] || $isCouAdmin || $isApprover || $isPetitioner || $isEnrollee);
 
     if($this->action == 'index' && $p['index']) {
       // These permissions may not be exactly right, but they only apply when rendering
@@ -2375,6 +2378,26 @@ function paginationConditions() {
         $pagcond['conditions']['CoPetition.co_enrollment_flow_id'] = -1;
       }
     }
+    // Check if user is couadmin and not coadmin or cmadmin
+    else {
+      $roles = $this->Role->calculateCMRoles();
+      if($roles['couadmin'] && !$roles['coadmin'] && !$roles['cmadmin']) {
+        // if user is couadmin then bring those petitions that are related with the cous that is admin
+        // also bring those petitions that user is approver, if any
+        $efs = $this->Role->approverFor($coPersonId);
+        if(!empty($efs)) {
+          $pagcond['conditions']['AND'][] = array(
+            'OR' => array(
+              'CoPetition.co_enrollment_flow_id IN' => $efs,
+              'CoPetition.cou_id IN' => array_keys($roles['admincous'])
+            )
+          );  
+        }
+        else {
+          $pagcond['conditions']['CoPetition.cou_id IN'] = array_keys($roles['admincous']);
+        }
+      }
+    }
 
     // Because we're using Linkable behavior to join deeply nested models, we need to
     // explicitly state which fields can be used for sorting.