fix: permissions behaviour

pressbooks-multi-institution.php

@@ -18,19 +18,19 @@
 use PressbooksMultiInstitution\Database\Migration;
 
 // TODO: Check if this is the best way to check for Pressbooks.
-if (!class_exists('Pressbooks\Book')) {
-    if (file_exists(__DIR__ . '/vendor/autoload.php')) {
-        require_once __DIR__ . '/vendor/autoload.php';
-    } else {
-        $title = __('Missing dependencies', 'PressbooksMultiInstitution');
-        $body = __(
-            'Please run <code>composer install</code> from the root of the plugin directory.',
-            'pressbooks-multi-institution'
-        );
+//if (!class_exists('Pressbooks\Book')) {
+if (file_exists(__DIR__ . '/vendor/autoload.php')) {
+    require_once __DIR__ . '/vendor/autoload.php';
+} else {
+    $title = __('Missing dependencies', 'PressbooksMultiInstitution');
+    $body = __(
+        'Please run <code>composer install</code> from the root of the plugin directory.',
+        'pressbooks-multi-institution'
+    );
 
-        wp_die("<h1>{$title}</h1><p>{$body}</p>");
-    }
+    wp_die("<h1>{$title}</h1><p>{$body}</p>");
 }
+//}
 
 register_activation_hook(__FILE__, [Migration::class, 'migrate']);
 register_deactivation_hook(__FILE__, [Migration::class, 'rollback']);

src/Actions/PermissionsManager.php

@@ -80,8 +80,9 @@ public function setupInstitutionalFilters(): void
         $institutionalUsers = InstitutionUser::query()->byInstitution($institution)->pluck('user_id')->toArray();
 
         add_filter('pb_institution', function () use ($institution) {
-            return Institution::find($institution)?->toArray() ?? [];
+            return Institution::find($institution)?->toArray() ?? false;
         });
+
         add_filter('pb_institutional_users', function ($users) use ($institutionalUsers) {
             return [...$users, ...array_map('intval', $institutionalUsers)];
         });
@@ -286,10 +287,6 @@ public function handlePagesPermissions($institution, $institutionalManagers, $in
                 'options-general.php',
                 'profile.php' => [''],
                 'post-new.php',
-                'site-info.php',
-                'site-users.php',
-                'site-themes.php',
-                'site-settings.php',
                 'edit.php',
                 'edit-tags.php',
                 'upload.php',
@@ -303,6 +300,13 @@ public function handlePagesPermissions($institution, $institutionalManagers, $in
                 'options-privacy.php'
             ];
 
+            $bookPages = [
+                'site-info.php',
+                'site-settings.php',
+                'site-themes.php',
+                'site-users.php',
+            ];
+
             $currentPage = $pagenow;
             $currentPageParam = $_GET['page'] ?? '';
             $currentPageParam = $_GET['action'] ?? $currentPageParam;
@@ -325,8 +329,10 @@ public function handlePagesPermissions($institution, $institutionalManagers, $in
                 $isAccessAllowed = false;
             }
 
-            // Check if user has access to the book even though is not an institution book.
-            if (current_user_can_for_blog($currentBlogId, 'read')) {
+            // Check if the current page is a book page and if the user has access to it
+            $userBooks = array_slice(array_keys(get_blogs_of_user(get_current_user_id())), 1); // remove the main site
+
+            if (in_array($currentBlogId, $userBooks) && !in_array($currentPage, $bookPages)) {
                 $isAccessAllowed = true;
             }