Fixes #546

Author: oharsta

client/src/utils/UserRole.js

@@ -135,7 +135,7 @@ export const markAndFilterRoles = (user, allRoles, locale, multiple, separator,
         role.value = role.id;
         deriveApplicationAttributes(role, locale, multiple, separator);
     });
-    if (!isUserAllowed(AUTHORITIES.INSTITUTION_ADMIN, user)) {
+    if (!user.superUser) {
         const userRoles = user.userRoles;
         userRoles.forEach(userRole => {
             userRole.isUserRole = true;
@@ -171,7 +171,13 @@ export const allowedAuthoritiesForInvitation = (user, selectedRoles) => {
         return Object.keys(AUTHORITIES);
 
     }
-    if (user.institutionAdmin && !isEmpty(user.applications)) {
+    //Return only the AUTHORITIES where the user has the correct authority per selectedRole
+    const userRolesForSelectedRoles = selectedRoles
+        .map(role => role.isUserRole ? role.role : role)
+        .map(role => user.userRoles.find(userRole => userRole.role.id === role.id))
+        .filter(userRole => !isEmpty(userRole));
+    //If the user is an institutionAdmin but is also a regular inviter or manager of this role, then filter the authorities
+    if (user.institutionAdmin && !isEmpty(user.applications) && userRolesForSelectedRoles.length === 0) {
         return Object.keys(AUTHORITIES)
             .filter(authority => authority !== AUTHORITIES.SUPER_USER);
     }
@@ -183,11 +189,6 @@ export const allowedAuthoritiesForInvitation = (user, selectedRoles) => {
         return Object.keys(AUTHORITIES)
             .filter(auth => AUTHORITIES_HIERARCHY[auth] > AUTHORITIES_HIERARCHY[authority]);
     }
-    //Return only the AUTHORITIES where the user has the correct authority per selectedRole
-    const userRolesForSelectedRoles = selectedRoles
-        .map(role => role.isUserRole ? role.role : role)
-        .map(role => user.userRoles.find(userRole => userRole.role.id === role.id))
-        .filter(userRole => !isEmpty(userRole));
     const leastImportantAuthority = userRolesForSelectedRoles
         .reduce((acc, userRole) => {
             if (AUTHORITIES_HIERARCHY[userRole.authority] < AUTHORITIES_HIERARCHY[acc]) {

server/src/main/java/invite/security/UserPermissions.java

@@ -78,8 +78,12 @@ public static void assertValidInvitation(User user, Authority intendedAuthority,
         }
         //For all roles verify that the user has a higher authority then the one requested for all off the roles
         boolean allowed = roles.stream()
-                .allMatch(role -> mayInviteByApplication(userRoles, intendedAuthority, role) ||
-                        mayInviteByAuthority(userRoles, intendedAuthority, role));
+                .allMatch(role -> {
+                    boolean mayInviteByInstitutionAdmin = user.isInstitutionAdmin() && user.getOrganizationGUID().equals(role.getOrganizationGUID());
+                    boolean mayInviteByApplication = mayInviteByApplication(userRoles, intendedAuthority, role);
+                    boolean mayInviteByAuthority = mayInviteByAuthority(userRoles, intendedAuthority, role);
+                    return mayInviteByInstitutionAdmin || mayInviteByApplication || mayInviteByAuthority;
+                });
         if (!allowed) {
             throw new UserRestrictionException();
         }

server/src/test/java/invite/security/UserPermissionsTest.java

@@ -145,6 +145,23 @@ void assertNoRoleAccess() {
         assertThrows(UserRestrictionException.class, () -> UserPermissions.assertRoleAccess(user, role, Authority.INVITER));
     }
 
+    @Test
+    void institutionAdminWithRegularRole() {
+        String organizationGUID = UUID.randomUUID().toString();
+        User user = new User();
+        user.setOrganizationGUID(organizationGUID);
+        user.setInstitutionAdmin(true);
+        //May invite users for this role because of organization GUID
+        Role role = new Role("institution-admin-role", "description", application(organizationGUID, EntityType.SAML20_SP), 365, false, false);
+        role.setId(random.nextLong());
+        role.setOrganizationGUID(organizationGUID);
+        //May invite users for this role because of role membership
+        Role manager = new Role("manager-role", "description", application(UUID.randomUUID().toString(), EntityType.SAML20_SP), 365, false, false);
+        manager.setId(random.nextLong());
+        user.addUserRole(new UserRole(Authority.MANAGER, manager));
+        UserPermissions.assertValidInvitation(user, Authority.INVITER, List.of(role, manager));
+    }
+
     @Test
     void nullPointerHygiene() {
         assertThrows(UserRestrictionException.class, () -> UserPermissions.assertSuperUser(null));