From 9eaa0b66d7cf1098dffff4869d64ba0cd0baf978 Mon Sep 17 00:00:00 2001
From: Paolo <bison@technikum-wien.at>
Date: Fri, 22 Mar 2019 11:54:25 +0100
Subject: [PATCH] - Changed AuthLib->loginASByPersonId: now if to the given
 person_id is linked a uid, then permissions are checked using the uid

---
 application/libraries/AuthLib.php | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/application/libraries/AuthLib.php b/application/libraries/AuthLib.php
index d9480f6db..0558144a1 100644
--- a/application/libraries/AuthLib.php
+++ b/application/libraries/AuthLib.php
@@ -106,15 +106,32 @@ class AuthLib
 			{
 				$this->_ci->load->library('PermissionLib'); // Loads permissions library
 
-				// Checks if the logged user is allowed to obtain the new identity
+				// Checks if the logged user is allowed to obtain the new identity by its person id
 				if ($this->_ci->permissionlib->isEntitledLoginASByPersonId($person_id))
 				{
 					// Create the authentication object with new identity data
 					$loginAS = $this->_createAuthObjByPerson(array('person_id' => $person_id));
-					if (isSuccess($loginAS))
+					if (isSuccess($loginAS)) // if successfully created
 					{
-						// Store the new authentication object in authentication session
-						setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, getData($loginAS));
+						$authObj = getData($loginAS); // get the authenticate object
+						if ($authObj->{self::AO_USERNAME} != null) // if the username is present
+						{
+							// Checks if the logged user is allowed to obtain the new identity by its uid
+							if ($this->_ci->permissionlib->isEntitledLoginASByUID($authObj->{self::AO_USERNAME}))
+							{
+								// Store the new authentication object in authentication session
+								setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, $authObj);
+							}
+							else // if does NOT have permissions
+							{
+								$loginAS = error('Not authenticated', AUTH_NOT_AUTHENTICATED);
+							}
+						}
+						else // otherwise it's NOT possible to check other permissions
+						{
+							// Store the new authentication object in authentication session
+							setSessionElement(self::SESSION_NAME, self::SESSION_AUTH_OBJ, $authObj);
+						}
 					}
 				}
 			}