From 6e3e0b6c56c034698b44ebb5fcb1be38057b04af Mon Sep 17 00:00:00 2001
From: Vincent Vanwaelscappel <vincent@cubedesigners.com>
Date: Tue, 6 Dec 2022 08:18:02 +0100
Subject: [PATCH] wip #5627 @0.5

---
 src/app/Models/User.php                 | 5 ++++-
 src/app/Operations/LoginasOperation.php | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/app/Models/User.php b/src/app/Models/User.php
index d7afa13..9ad9c8d 100644
--- a/src/app/Models/User.php
+++ b/src/app/Models/User.php
@@ -218,8 +218,11 @@ class User extends CubistMagicAuthenticatable
         if (null === $user) {
             return false;
         }
+        if ($user->company == 7 && !$this->can('loginascube')) {
+            return false;
+        }
         /** @var $user self */
-        return in_array($this->id, $user->getManagedUsers());
+        return in_array($user->id, $this->getManagedUsers());
     }
 
 
diff --git a/src/app/Operations/LoginasOperation.php b/src/app/Operations/LoginasOperation.php
index a384ac0..7fa5439 100644
--- a/src/app/Operations/LoginasOperation.php
+++ b/src/app/Operations/LoginasOperation.php
@@ -20,12 +20,15 @@ trait LoginasOperation
     protected function loginas($id)
     {
         $user = User::find($id);
+        if (!$this->canLoginas($user)) {
+            abort(403);
+        }
         backpack_auth()->login($user);
         return redirect('dashboard');
     }
 
     public function canLoginas($user)
     {
-        return $this->isOwner($user);
+        return backpack_user()->isOwner($user);
     }
 }
-- 
2.39.5