From e09987f5a8aa0c0ebe039f40eb26449ab718c636 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20G=C3=BCnther?= <th.guenther@saale-mail.de>
Date: Tue, 23 Jun 2026 18:46:01 +0200
Subject: [PATCH] Fixed permission management

---
 app/Repositories/CostUnitRepository.php | 22 ++++-----------------
 app/Repositories/EventRepository.php    | 26 ++++---------------------
 app/Repositories/InvoiceRepository.php  | 17 ++++------------
 version                                 |  2 +-
 4 files changed, 13 insertions(+), 54 deletions(-)

diff --git a/app/Repositories/CostUnitRepository.php b/app/Repositories/CostUnitRepository.php
index 37c7f86..8ea823d 100644
--- a/app/Repositories/CostUnitRepository.php
+++ b/app/Repositories/CostUnitRepository.php
@@ -66,34 +66,20 @@ class CostUnitRepository {
     }
 
     public function getCostUnitsByCriteria(array $criteria, bool $forDisplay = true, $disableAccessCheck = false) : array {
-        $tenant = app('tenant');
-
-        $canSeeAll = false;
         $user = Auth()->user();
 
         if ($disableAccessCheck) {
             $canSeeAll = true;
         } else {
-            if ($tenant->slug !== 'lv') {
-                if (
-                    new AuthCheckProvider()->isAdministrator() ||
-                    $user->user_role_local_group === UserRole::USER_ROLE_ADMIN
-                ) {
-                    $canSeeAll = true;
-                }
-            } else {
-                if (
-                    in_array($user->user_role_main, [UserRole::USER_ROLE_GROUP_LEADER, UserRole::USER_ROLE_ADMIN])
-                ) {
-                    $canSeeAll = true;
-                }
-            }
+            $canSeeAll = in_array(new AuthCheckProvider()->getUserRole(), [
+                UserRole::USER_ROLE_ADMIN, UserRole::USER_ROLE_GROUP_LEADER
+            ]);
         }
 
         $visibleCostUnits = [];
         /** @var CostUnit $costUnit */
         foreach (Costunit::where($criteria)->get() as $costUnit) {
-            if ($canSeeAll || $disableAccessCheck || $costUnit->treasurers()->where('user_id', $user->id)->exists() ) {
+            if ($canSeeAll || $costUnit->treasurers()->where('user_id', $user->id)->exists() ) {
                 if ($forDisplay) {
                     $visibleCostUnits[] = new CostUnitResource($costUnit)->toArray(request());
                 } else {
diff --git a/app/Repositories/EventRepository.php b/app/Repositories/EventRepository.php
index b4eafef..69ae356 100644
--- a/app/Repositories/EventRepository.php
+++ b/app/Repositories/EventRepository.php
@@ -77,38 +77,20 @@ class EventRepository {
     }
 
     public function getEventsByCriteria(array $criteria, $accessCheck = true) : array {
-        $tenant = app('tenant');
-
-        $canSeeAll = false;
         $user = Auth()->user();
 
         if (!$accessCheck) {
             $canSeeAll = true;
         } else {
-        if (
-            new AuthCheckProvider()->isAdministrator() ||
-            $user->user_role_local_group === UserRole::USER_ROLE_ADMIN
-        ) {
-                if (
-                    $user->user_role_main === UserRole::USER_ROLE_ADMIN ||
-                    in_array($user->user_role_local_group, [UserRole::USER_ROLE_GROUP_LEADER, UserRole::USER_ROLE_ADMIN])
-                ) {
-                    $canSeeAll = true;
-                }
-            } else {
-                if (
-                    in_array($user->user_role_main, [UserRole::USER_ROLE_GROUP_LEADER, UserRole::USER_ROLE_ADMIN])
-                ) {
-                    $canSeeAll = true;
-                }
-            }
+            $canSeeAll = in_array(new AuthCheckProvider()->getUserRole(), [
+                UserRole::USER_ROLE_ADMIN, UserRole::USER_ROLE_GROUP_LEADER
+            ]);
         }
 
         $visibleEvents = [];
         /** @var Event $event */
         foreach (Event::where($criteria)->orderBy('start_date')->get() as $event) {
-
-            if ($canSeeAll || !$accessCheck || $event->eventManagers()->where('user_id', $user->id)->exists()) {
+            if ($canSeeAll || $event->eventManagers()->where('user_id', $user->id)->exists()) {
                 $visibleEvents[] = $event;
             }
         }
diff --git a/app/Repositories/InvoiceRepository.php b/app/Repositories/InvoiceRepository.php
index b481bdf..a0fe319 100644
--- a/app/Repositories/InvoiceRepository.php
+++ b/app/Repositories/InvoiceRepository.php
@@ -6,6 +6,7 @@ use App\Enumerations\InvoiceStatus;
 use App\Enumerations\UserRole;
 use App\Models\CostUnit;
 use App\Models\Invoice;
+use App\Providers\AuthCheckProvider;
 use App\Resources\InvoiceResource;
 use App\ValueObjects\Amount;
 use Illuminate\Database\Eloquent\Collection;
@@ -83,19 +84,9 @@ class InvoiceRepository {
             return $invoice;
         }
 
-        $user = auth()->user();
-        if ($user->user_role_main === UserRole::USER_ROLE_ADMIN) {
-            return $invoice;
-        }
+        return in_array(new AuthCheckProvider()->getUserRole(), [
+            UserRole::USER_ROLE_ADMIN, UserRole::USER_ROLE_GROUP_LEADER
+        ]) ? $invoice : null;
 
-        if (app('tenant')->slug === 'lv' && $user->user_role_main === UserRole::USER_ROLE_GROUP_LEADER) {
-            return $invoice;
-        }
-
-        if (app('tenant')->slug !== 'lv' && $user->local_group === app('tenant')->slug && $user->user_role_local_group === UserRole::USER_ROLE_GROUP_LEADER) {
-            return $invoice;
-        }
-
-        return null;
     }
 }
diff --git a/version b/version
index a84947d..6cedcff 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-4.5.0
+4.5.2