[#225] Fix corner-case for canWriteUserInfo

blcham · blcham · commit e5a0efc73836 · 2025-09-30T22:35:52.000+02:00
The corner-case not covered was when both users were not assigned to organization.
diff --git a/src/utils/RoleUtils.js b/src/utils/RoleUtils.js
@@ -63,12 +63,13 @@ export function canReadRecord(currentUser, record) {
 }
 
 export function canWriteUserInfo(currentUser, user) {
+  const hasSameInstitution =
+    currentUser.institution !== null && currentUser.institution?.name === user?.institution?.name;
   return (
-    hasSupersetOfPrivileges(currentUser, user) &&
-    (hasRole(currentUser, ROLE.WRITE_ALL_USERS) ||
-      (hasRole(currentUser, ROLE.WRITE_ORGANIZATION_USERS) &&
-        currentUser.institution?.name === user?.institution?.name) ||
-      currentUser.username === user?.username)
+    (currentUser.username === user?.username ||
+      hasRole(currentUser, ROLE.WRITE_ALL_USERS) ||
+      (hasSameInstitution && hasRole(currentUser, ROLE.WRITE_ORGANIZATION_USERS))) &&
+    hasSupersetOfPrivileges(currentUser, user)
   );
 }
 
