From 3197ec58385951957c237fd6c147670cca89123c Mon Sep 17 00:00:00 2001
From: Mathieu <mbaudier@argeo.org>
Date: Sat, 12 Nov 2022 09:03:11 +0100
Subject: [PATCH] Only external userAdmin can set userAdmin

---
 .../org/argeo/app/ui/people/PersonUiProvider.java   | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/swt/org.argeo.app.ui/src/org/argeo/app/ui/people/PersonUiProvider.java b/swt/org.argeo.app.ui/src/org/argeo/app/ui/people/PersonUiProvider.java
index 73b1f73..c0adcf5 100644
--- a/swt/org.argeo.app.ui/src/org/argeo/app/ui/people/PersonUiProvider.java
+++ b/swt/org.argeo.app.ui/src/org/argeo/app/ui/people/PersonUiProvider.java
@@ -167,11 +167,16 @@ public class PersonUiProvider implements SwtUiProvider {
 			}
 		}
 
-		if (systemRole.equals(CmsRole.userAdmin))
-			radio.setEnabled(CurrentUser.implies(CmsRole.groupAdmin, roleContext));
-		else
+		if (systemRole.equals(CmsRole.userAdmin)) {
+			if (!CurrentUser.isUserContext(roleContext) && CurrentUser.implies(CmsRole.userAdmin, roleContext)) {
+				// a user admin cannot modify the user admins of their own context
+				radio.setEnabled(true);
+			} else {
+				radio.setEnabled(false);
+			}
+		} else {
 			radio.setEnabled(CurrentUser.implies(CmsRole.userAdmin, roleContext));
-
+		}
 		new Label(parent, 0).setText(msg.lead());
 
 	}
-- 
2.30.2