Only external userAdmin can set userAdmin

[gpl/argeo-suite.git] / swt / org.argeo.app.ui / src / org / argeo / app / ui / people / PersonUiProvider.java

diff --git a/swt/org.argeo.app.ui/src/org/argeo/app/ui/people/PersonUiProvider.java b/swt/org.argeo.app.ui/src/org/argeo/app/ui/people/PersonUiProvider.java
index aeb378da7c496d0793a8b8e1909f23ff54d32bf8..c0adcf5582373f3765d6479293d43ee85f3e8fe5 100644 (file)
--- a/swt/org.argeo.app.ui/src/org/argeo/app/ui/people/PersonUiProvider.java
+++ b/swt/org.argeo.app.ui/src/org/argeo/app/ui/people/PersonUiProvider.java
@@ -14,11 +14,11 @@ import org.argeo.app.ui.SuiteMsg;
 import org.argeo.app.ui.SuiteStyle;
 import org.argeo.app.ui.SuiteUiUtils;
 import org.argeo.cms.CmsMsg;
+import org.argeo.cms.CurrentUser;
 import org.argeo.cms.Localized;
 import org.argeo.cms.RoleNameUtils;
 import org.argeo.cms.SystemRole;
 import org.argeo.cms.auth.CmsRole;
-import org.argeo.cms.auth.CurrentUser;
 import org.argeo.cms.swt.CmsSwtUtils;
 import org.argeo.cms.swt.Selected;
 import org.argeo.cms.swt.acr.SwtSection;
@@ -167,11 +167,16 @@ public class PersonUiProvider implements SwtUiProvider {
                        }
                }
 
-               if (systemRole.equals(CmsRole.userAdmin))
-                       radio.setEnabled(CurrentUser.implies(CmsRole.groupAdmin, roleContext));
-               else
+               if (systemRole.equals(CmsRole.userAdmin)) {
+                       if (!CurrentUser.isUserContext(roleContext) && CurrentUser.implies(CmsRole.userAdmin, roleContext)) {
+                               // a user admin cannot modify the user admins of their own context
+                               radio.setEnabled(true);
+                       } else {
+                               radio.setEnabled(false);
+                       }
+               } else {
                        radio.setEnabled(CurrentUser.implies(CmsRole.userAdmin, roleContext));
-
+               }
                new Label(parent, 0).setText(msg.lead());
 
        }