Fixes #1068

server/api/collaboration.py

@@ -19,7 +19,7 @@
     confirm_authorized_api_call, \
     confirm_allow_impersonation, confirm_organisation_admin_or_manager, confirm_external_api_call, \
     is_organisation_admin_or_manager, is_application_admin, confirm_service_admin, \
-    confirm_organisation_api_collaboration, is_collaboration_admin, confirm_write_access
+    confirm_organisation_api_collaboration, is_collaboration_admin, confirm_write_access, has_org_manager_unit_access
 from server.db.activity import update_last_activity_date
 from server.db.db import db
 from server.db.defaults import (default_expiry_date, full_text_search_autocomplete_limit, cleanse_short_name,
@@ -693,12 +693,13 @@ def update_collaboration():
     confirm_collaboration_admin(data["id"])
 
     organisation = db.session.get(Organisation, int(data["organisation_id"]))
-    if is_collaboration_admin(current_user_id(), collaboration_id=data["id"]) and "units" in data:
+    collaboration = db.session.get(Collaboration, data["id"])
+
+    if not has_org_manager_unit_access(current_user_id(), collaboration) and "units" in data:
         del data["units"]
 
     _validate_collaboration(data, organisation, new_collaboration=False)
 
-    collaboration = db.session.get(Collaboration, data["id"])
     if collaboration.organisation_id != organisation.id:
         confirm_write_access()
 

server/auth/security.py

@@ -42,6 +42,8 @@ def _get_impersonated_session():
 
 
 def has_org_manager_unit_access(user_id, collaboration, org_manager_allowed=True):
+    if is_application_admin():
+        return True
     members = list(filter(lambda m: m.user_id == user_id, collaboration.organisation.organisation_memberships))
     if not members:
         return False