Merge pull request #1221 from cytomine/master

do not remove ontology access if user has still access to project (do…
cytomine · May 25, 2022 · e901b7e · e901b7e
2 parents 4f72d03 + 191779a
commit e901b7e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/grails-app/services/be/cytomine/security/SecUserService.groovy b/grails-app/services/be/cytomine/security/SecUserService.groovy
@@ -827,15 +827,19 @@ class SecUserService extends ModelService {
         }
         if (project) {
             log.info "deleteUserFromProject project=" + project?.id + " username=" + user?.username + " ADMIN=" + admin
-            if(project.ontology) {
-                removeOntologyRightIfNecessary(project, user, admin)
-            }
+
             if(admin) {
                 permissionService.deletePermission(project, user.username, ADMINISTRATION)
             }
             else {
                 permissionService.deletePermission(project, user.username, READ)
             }
+
+            if(!project.hasACLPermission(user, READ) && !project.hasACLPermission(user, ADMINISTRATION)  && project.ontology) {
+                removeOntologyRightIfNecessary(project, (User)user, admin)
+            }
+
+
             ProjectRepresentativeUser representative = ProjectRepresentativeUser.findByUserAndProject(user, project)
             if(representative) {
                 projectRepresentativeUserService.delete(representative)
@@ -845,7 +849,7 @@ class SecUserService extends ModelService {
             if (projectRepresentativeUserService.listByProject(project).size()==0) {
                 if (!securityACLService.getProjectList(cytomineService.currentUser).contains(project)) {
                     // if current user is not in project (= SUPERADMIN), add to the project
-                    addUserToProject(user, project, true)
+                    addUserToProject(cytomineService.currentUser, project, true)
                 }
                 log.info("add current user ${cytomineService.currentUser.id} as representative for project ${project.id}")
                 def json = JSON.parse(new ProjectRepresentativeUser(project:project, user:cytomineService.currentUser).encodeAsJSON());

diff --git a/src/groovy/be/cytomine/CytomineDomain.groovy b/src/groovy/be/cytomine/CytomineDomain.groovy
@@ -17,6 +17,7 @@ package be.cytomine
 */
 
 import be.cytomine.security.SecUser
+import be.cytomine.security.User
 import grails.converters.JSON
 import grails.util.Holders
 import groovy.sql.Sql
@@ -189,6 +190,11 @@ abstract class CytomineDomain  implements Comparable,Serializable{
     }
 
 
+    boolean hasACLPermission(User user, Permission permission) {
+        def masks = getPermissionInACL(this,user)
+        return masks.max() >= permission.mask
+    }
+
     List getPermissionInACL(def domain, def user = null) {
         try {
             String request = "SELECT mask FROM acl_object_identity aoi, acl_sid sid, acl_entry ae " +