Internet2 · ioigoume · Apr 22, 2021
diff --git a/app/Controller/AdHocAttributesController.php b/app/Controller/AdHocAttributesController.php
@@ -148,6 +148,12 @@ function isAuthorized() {
           } elseif(!empty($aha['AdHocAttribute']['org_identity_id'])) {
             $managed = $this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
                                                                  $aha['AdHocAttribute']['org_identity_id']);
+            if(!empty($roles['orgidentities'])) {
+              $org_ids = Hash::extract($roles, 'orgidentities.{n}.org_id');
+              if(in_array($aha['AdHocAttribute']['org_identity_id'], $org_ids)) {
+                $self = true;
+              }
+            }
           }
         }
         break;

diff --git a/app/Controller/AddressesController.php b/app/Controller/AddressesController.php
@@ -185,6 +185,12 @@ function isAuthorized() {
           } elseif(!empty($address['Address']['org_identity_id'])) {
             $managed = $this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
                                                                  $address['Address']['org_identity_id']);
+            if(!empty($roles['orgidentities'])) {
+              $org_ids = Hash::extract($roles, 'orgidentities.{n}.org_id');
+              if(in_array($address['Address']['org_identity_id'], $org_ids)) {
+                $self = true;
+              }
+            }
           }
         }
         break;

diff --git a/app/Controller/CoDepartmentsController.php b/app/Controller/CoDepartmentsController.php
@@ -149,6 +149,7 @@ function isAuthorized() {
     // View identifiers? This correlates with IdentifiersController
     $p['identifiers'] = ($roles['cmadmin']
                          || $roles['coadmin']
+                         || $self
                          || ($managed && $roles['couadmin']));
 
     $this->set('permissions', $p);

diff --git a/app/Controller/CoPeopleController.php b/app/Controller/CoPeopleController.php
@@ -769,6 +769,7 @@ public function isAuthorized() {
     // View identifiers? This correlates with IdentifiersController
     $p['identifiers'] = ($roles['cmadmin']
                          || $roles['coadmin']
+                         || $self
                          || ($managed && $roles['couadmin']));
 
     // View history? This correlates with HistoryRecordsController

diff --git a/app/Controller/EmailAddressesController.php b/app/Controller/EmailAddressesController.php
@@ -160,6 +160,12 @@ function isAuthorized() {
           } elseif(!empty($emailaddress['EmailAddress']['org_identity_id'])) {
             $managed = $this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
                                                                  $emailaddress['EmailAddress']['org_identity_id']);
+            if(!empty($roles['orgidentities'])) {
+              $org_ids = Hash::extract($roles, 'orgidentities.{n}.org_id');
+              if(in_array($emailaddress['EmailAddress']['org_identity_id'], $org_ids)) {
+                $self = true;
+              }
+            }
           }
         }
         break;

diff --git a/app/Controller/IdentifiersController.php b/app/Controller/IdentifiersController.php
@@ -291,6 +291,7 @@ function isAuthorized() {
     // the identifier passed in the URL, otherwise we lookup based on the record ID.
 
     $managed = false;
+    $self = false;
 
     if(!empty($roles['copersonid'])) {
       switch($this->action) {
@@ -318,9 +319,18 @@ function isAuthorized() {
           if(!empty($identifier['Identifier']['co_person_id'])) {
             $managed = $this->Role->isCoOrCouAdminForCoPerson($roles['copersonid'],
                                                               $identifier['Identifier']['co_person_id']);
+            if($identifier['Identifier']['co_person_id'] == $roles['copersonid']) {
+              $self = true;
+            }
           } elseif(!empty($identifier['Identifier']['org_identity_id'])) {
             $managed = $this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
                                                                  $identifier['Identifier']['org_identity_id']);
+            if(!empty($roles['orgidentities'])) {
+              $org_ids = Hash::extract($roles, 'orgidentities.{n}.org_id');
+              if(in_array($identifier['Identifier']['org_identity_id'], $org_ids)) {
+                $self = true;
+              }
+            }
           }
         }
         break;
@@ -356,7 +366,8 @@ function isAuthorized() {
 
     // View an existing Identifier?
     $p['view'] = ($roles['cmadmin']
-                  || $roles['coadmin'] 
+                  || $roles['coadmin']
+                  || $self
                   || ($managed && $roles['couadmin']));
 
     $this->set('permissions', $p);

diff --git a/app/Controller/NamesController.php b/app/Controller/NamesController.php
@@ -304,6 +304,12 @@ function isAuthorized() {
           } elseif(!empty($name['Name']['org_identity_id'])) {
             $managed = $this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
                                                                  $name['Name']['org_identity_id']);
+            if(!empty($roles['orgidentities'])) {
+              $org_ids = Hash::extract($roles, 'orgidentities.{n}.org_id');
+              if(in_array($name['Name']['org_identity_id'], $org_ids)) {
+                $self = true;
+              }
+            }
           }
         }
         break;

diff --git a/app/Controller/OrgIdentitiesController.php b/app/Controller/OrgIdentitiesController.php
@@ -569,6 +569,7 @@ function isAuthorized() {
       // View identifiers? This correlates with IdentifiersController
       $p['identifiers'] = ($roles['cmadmin']
                            || $roles['coadmin']
+                           || $self
                            || ($managed && $roles['couadmin']));
 
       // View history? This correlates with HistoryRecordsController

diff --git a/app/Controller/TelephoneNumbersController.php b/app/Controller/TelephoneNumbersController.php
@@ -163,6 +163,12 @@ function isAuthorized() {
           } elseif(!empty($number['TelephoneNumber']['org_identity_id'])) {
             $managed = $this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
                                                                  $number['TelephoneNumber']['org_identity_id']);
+            if(!empty($roles['orgidentities'])) {
+              $org_ids = Hash::extract($roles, 'orgidentities.{n}.org_id');
+              if(in_array($number['TelephoneNumber']['org_identity_id'], $org_ids)) {
+                $self = true;
+              }
+            }
           }
         }
         break;

diff --git a/app/Controller/UrlsController.php b/app/Controller/UrlsController.php
@@ -160,6 +160,12 @@ function isAuthorized() {
           } elseif(!empty($url['Url']['org_identity_id'])) {
             $managed = $this->Role->isCoOrCouAdminForOrgidentity($roles['copersonid'],
                                                                  $url['Url']['org_identity_id']);
+            if(!empty($roles['orgidentities'])) {
+              $org_ids = Hash::extract($roles, 'orgidentities.{n}.org_id');
+              if(in_array($url['Url']['org_identity_id'], $org_ids)) {
+                $self = true;
+              }
+            }
           }
         }
         break;