From f35548e7676f7d098b5960193522528d86484168 Mon Sep 17 00:00:00 2001
From: Tom Udding <tomudding@users.noreply.github.com>
Date: Thu, 17 Oct 2024 18:15:46 +0200
Subject: [PATCH] fix: conflict in permissions for decisions for active members

Active members were able to see the 'Meetings' tab due to the `decision_admin`
being too broad.

We could have gone for a `viewOrgan` privilege on the `decision_admin` object,
however, it feels better to make it a separate `decision_organ_admin`.
---
 module/Application/view/partial/admin.phtml    | 2 +-
 module/Application/view/partial/main-nav.phtml | 1 +
 module/Decision/src/Service/AclService.php     | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/module/Application/view/partial/admin.phtml b/module/Application/view/partial/admin.phtml
index 59d058befa..4023a30623 100644
--- a/module/Application/view/partial/admin.phtml
+++ b/module/Application/view/partial/admin.phtml
@@ -163,7 +163,7 @@ use Laminas\View\Renderer\PhpRenderer;
                             </ul>
                         </li>
                     <?php endif; ?>
-                    <?php if ($this->acl('decision_service_acl')->isAllowed('decision_admin', 'view')): ?>
+                    <?php if ($this->acl('decision_service_acl')->isAllowed('decision_organ_admin', 'view')): ?>
                         <li>
                             <a href="<?= $this->url('admin_organ') ?>">
                                 <?= $this->translate('Organs') ?>
diff --git a/module/Application/view/partial/main-nav.phtml b/module/Application/view/partial/main-nav.phtml
index df8d114d6b..43799002a3 100644
--- a/module/Application/view/partial/main-nav.phtml
+++ b/module/Application/view/partial/main-nav.phtml
@@ -197,6 +197,7 @@ endif; ?>
                                 $this->acl('activity_service_acl')->isAllowed('activity_admin', 'view')
                                 || $this->acl('company_service_acl')->isAllowed('company_admin', 'view')
                                 || $this->acl('decision_service_acl')->isAllowed('decision_admin', 'view')
+                                || $this->acl('decision_service_acl')->isAllowed('decision_organ_admin', 'view')
                                 || $this->acl('education_service_acl')->isAllowed('education_admin', 'view')
                                 || $this->acl('frontpage_service_acl')->isAllowed('frontpage_admin', 'view')
                                 || $this->acl('photo_service_acl')->isAllowed('photo_admin', 'view')
diff --git a/module/Decision/src/Service/AclService.php b/module/Decision/src/Service/AclService.php
index 3782bb5758..ee4c88e421 100644
--- a/module/Decision/src/Service/AclService.php
+++ b/module/Decision/src/Service/AclService.php
@@ -23,6 +23,7 @@ protected function createAcl(): void
         $this->acl->addResource(new Resource('gdpr'));
         // Define administration part of this module, however, sub-permissions must be manually configured.
         $this->acl->addResource(new Resource('decision_admin'));
+        $this->acl->addResource(new Resource('decision_organ_admin'));
 
         // users are allowed to view the organs
         $this->acl->allow('guest', 'organ', 'list');
@@ -30,7 +31,7 @@ protected function createAcl(): void
 
         // Organ members are allowed to edit organ information of their own organs
         $this->acl->allow('active_member', 'organ', 'edit');
-        $this->acl->allow('active_member', 'decision_admin', 'view');
+        $this->acl->allow('active_member', 'decision_organ_admin', 'view');
 
         // users are allowed to view and search members
         $this->acl->allow('user', 'member', ['view', 'view_self', 'search', 'birthdays']);