Fixes #581

Author: oharsta

client/src/__tests__/utils/UserRole.test.js

@@ -12,6 +12,7 @@ import {
 const applicationUsagesForManageId = manageId => {
     return [{application: {manageId: manageId}}];
 }
+
 describe('UserRole', () => {
     it("Test isUserAllowed", () => {
         let user = {userRoles: [{authority: AUTHORITIES.GUEST}]}
@@ -36,16 +37,12 @@ describe('UserRole', () => {
 
     it("Allowed authorities for invitation - manager", () => {
         const researchUserRole = {authority: AUTHORITIES.MANAGER, role: {id: "1", manageId: "2"}};
-        const wikiRole = {id: "2", manageId: "2"};
         const mailUserRole = {authority: AUTHORITIES.INVITER, role: {id: "3", manageId: "9"}};
         const user = {userRoles: [researchUserRole, mailUserRole]}
 
         let authorities = allowedAuthoritiesForInvitation(user, []);
         expect(authorities).toEqual([AUTHORITIES.INVITER, AUTHORITIES.GUEST]);
 
-        authorities = allowedAuthoritiesForInvitation(user, [wikiRole]);
-        expect(authorities).toEqual([]);
-
         authorities = allowedAuthoritiesForInvitation(user, [mailUserRole.role]);
         expect(authorities).toEqual([AUTHORITIES.GUEST]);
 

client/src/pages/InvitationForm.jsx

@@ -201,12 +201,20 @@ export const InvitationForm = () => {
             setSelectedRoles([])
             setInvitation({...invitation, enforceEmailEquality: false, eduIDOnly: false})
         } else {
+            const allowedAuthorities = allowedAuthoritiesForInvitation(user, selectedOptions);
+            let intendedAuthority = invitation.intendedAuthority;
+            //If the chosen authority is no longer allowed, then change it
+            if (!allowedAuthorities.includes(invitation.intendedAuthority)) {
+               intendedAuthority = allowedAuthorities[0];
+            }
             const newSelectedOptions = Array.isArray(selectedOptions) ? [...selectedOptions] : [selectedOptions];
             setSelectedRoles(newSelectedOptions);
             const enforceEmailEquality = newSelectedOptions.some(role => role.enforceEmailEquality);
             const eduIDOnly = newSelectedOptions.some(role => role.eduIDOnly);
+
             setInvitation({
                 ...invitation,
+                intendedAuthority: intendedAuthority,
                 enforceEmailEquality: enforceEmailEquality,
                 eduIDOnly: eduIDOnly,
                 roleExpiryDate: defaultRoleExpiryDate(newSelectedOptions)
@@ -247,14 +255,14 @@ export const InvitationForm = () => {
                     pinnedEmails={[]}
                     removeMail={removeMail}
                     required={true}
-                    maxEmails={null} //TODO is there a internal placeholder identifier? then one
-                    maxEmailsMessage={"TODO : localize Not allowed to add more then one email"}
+                    maxEmails={null} //TODO is there a internal placeholder identifier? then one.
+                    // See https://github.com/OpenConext/OpenConext-Invite/issues/540
+                    maxEmailsMessage={"TODO : localize Not allowed to add more then one email with external identifier"}
                     error={!initial && isEmpty(invitation.invites)}/>
 
                 {(!initial && isEmpty(invitation.invites)) &&
                     <ErrorIndicator msg={I18n.t("invitations.requiredEmail")}/>}
-
-                {authorityOptions.length > 1 &&
+                {(authorityOptions.length > 1 || (!isInviter && authorityOptions.length === 1)) &&
                     <SelectField
                         value={authorityOptions.find(option => option.value === invitation.intendedAuthority)
                             || authorityOptions[authorityOptions.length - 1]}

client/src/utils/UserRole.js

@@ -170,19 +170,32 @@ export const allowedAuthoritiesForInvitation = (user, selectedRoles) => {
     if (user.superUser) {
         //The superuser has no organization guid, but is allowed to add one
         return Object.keys(AUTHORITIES);
-
     }
     //Return only the AUTHORITIES where the user has the correct authority per selectedRole
+    if (user.institutionAdmin && !isEmpty(user.applications)) {
+        const nonInstitutionalRoles = selectedRoles.filter(role => user.organizationGUID !== role.organizationGUID);
+        if (nonInstitutionalRoles.length === 0) {
+            return Object.keys(AUTHORITIES)
+                .filter(authority => authority !== AUTHORITIES.SUPER_USER);
+        } else {
+            //If the user is an institution-admin but is also a regular inviter or manager of another non-institutional role, then filter the authorities
+            const allowedAuthority = nonInstitutionalRoles
+                .reduce((acc, userRole) => {
+                    if (acc === null || AUTHORITIES_HIERARCHY[userRole.authority] > AUTHORITIES_HIERARCHY[acc]) {
+                        return userRole.authority;
+                    }
+                    return acc;
+                }, null) || AUTHORITIES.INVITER;
+            return Object.keys(AUTHORITIES)
+                .filter(auth => AUTHORITIES_HIERARCHY[auth] > AUTHORITIES_HIERARCHY[allowedAuthority]);
+        }
+    }
     const userRolesForSelectedRoles = selectedRoles
         .map(role => role.isUserRole ? role.role : role)
         .filter(role => (!isEmpty(user.organizationGUID) && user.organizationGUID === role.organizationGUID) ||
             user.userRoles.some(userRole => userRole.role.id === role.id))
         .filter(userRole => !isEmpty(userRole));
-    //If the user is an institutionAdmin but is also a regular inviter or manager of this role, then filter the authorities
-    if (user.institutionAdmin && !isEmpty(user.applications) && userRolesForSelectedRoles.length === 0) {
-        return Object.keys(AUTHORITIES)
-            .filter(authority => authority !== AUTHORITIES.SUPER_USER);
-    }
+
     if (!isUserAllowed(AUTHORITIES.INVITER, user)) {
         return [];
     }
@@ -193,11 +206,11 @@ export const allowedAuthoritiesForInvitation = (user, selectedRoles) => {
     }
     const leastImportantAuthority = userRolesForSelectedRoles
         .reduce((acc, userRole) => {
-            if (AUTHORITIES_HIERARCHY[userRole.authority] < AUTHORITIES_HIERARCHY[acc]) {
+            if (acc === null || AUTHORITIES_HIERARCHY[userRole.authority] > AUTHORITIES_HIERARCHY[acc]) {
                 return userRole.authority;
             }
             return acc;
-        }, AUTHORITIES.GUEST);
+        }, null) || AUTHORITIES.INVITER;
     return Object.keys(AUTHORITIES)
         .filter(auth => AUTHORITIES_HIERARCHY[auth] > AUTHORITIES_HIERARCHY[leastImportantAuthority]);
 

server/src/main/java/invite/security/UserPermissions.java

@@ -71,7 +71,7 @@ public static void assertValidInvitation(User user, Authority intendedAuthority,
             throw new UserRestrictionException();
         }
         Set<UserRole> userRoles = user.getUserRoles();
-        //Institution admin needs to own all roles
+        //Institution admin needs to own all roles or be a member of the role for at least the authority of invitationo
         if (user.isInstitutionAdmin() && roles.stream()
                 .allMatch(role -> user.getOrganizationGUID().equals(role.getOrganizationGUID()))) {
             return;