Support admin only inherits from viewer role.

cabinetoffice · Oct 2, 2024 · 84284d6 · 84284d6
1 parent 704801e
commit 84284d6
Showing 1 changed file with 5 additions and 11 deletions.
diff --git a/Frontend/CO.CDP.OrganisationApp/Authorization/CustomScopeHandler.cs b/Frontend/CO.CDP.OrganisationApp/Authorization/CustomScopeHandler.cs
@@ -20,15 +20,6 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
                 {
                     IUserInfoService _userInfo = serviceScope.ServiceProvider.GetRequiredService<IUserInfoService>();
 
-                    var userScopes = await _userInfo.GetUserScopes();
-
-                    // SupportAdmin role can do anything within any organisation
-                    if (userScopes.Contains(PersonScopes.SupportAdmin))
-                    {
-                        context.Succeed(requirement);
-                        return;
-                    }
-
                     var organisationUserScopes = await _userInfo.GetOrganisationUserScopes();
 
                     // Admin role can do anything within this organisation
@@ -44,8 +35,11 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
                         return;
                     }
 
-                    // Editor role implies viewer permissions
-                    if (requirement.Scope == OrganisationPersonScopes.Viewer && organisationUserScopes.Contains(OrganisationPersonScopes.Editor))
+                    var userScopes = await _userInfo.GetUserScopes();
+
+                    // Editor role and support admin both imply viewer permissions
+                    if (requirement.Scope == OrganisationPersonScopes.Viewer &&
+                        (organisationUserScopes.Contains(OrganisationPersonScopes.Editor) || userScopes.Contains(PersonScopes.SupportAdmin)))
                     {
                         context.Succeed(requirement);
                         return;