Prevent admin from succeeding support admin requirement by default.

cabinetoffice · Oct 4, 2024 · 45cb788 · 45cb788
1 parent 032ac6e
commit 45cb788
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Frontend/CO.CDP.OrganisationApp/Authorization/CustomScopeHandler.cs b/Frontend/CO.CDP.OrganisationApp/Authorization/CustomScopeHandler.cs
@@ -23,7 +23,7 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
                     var organisationUserScopes = await _userInfo.GetOrganisationUserScopes();
 
                     // Admin role can do anything within this organisation
-                    if (organisationUserScopes.Contains(OrganisationPersonScopes.Admin))
+                    if (organisationUserScopes.Contains(OrganisationPersonScopes.Admin) && requirement.Scope != PersonScopes.SupportAdmin)
                     {
                         context.Succeed(requirement);
                         return;