From a1fcc4043247503718c85551411ba6def47f72a9 Mon Sep 17 00:00:00 2001
From: Moriz Wahl <moriz.wahl@gmx.de>
Date: Mon, 7 Nov 2022 16:57:16 +0100
Subject: [PATCH] fix: Member of Group Cannot Be Added as New Member

---
 .../src/middleware/permissionsMiddleware.js   | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/backend/src/middleware/permissionsMiddleware.js b/backend/src/middleware/permissionsMiddleware.js
index 906285d12..6b71f3dce 100644
--- a/backend/src/middleware/permissionsMiddleware.js
+++ b/backend/src/middleware/permissionsMiddleware.js
@@ -143,16 +143,20 @@ const isAllowedToChangeGroupMemberRole = rule({
   })
   try {
     const { admin, group, member } = await readTxPromise
+    const groupExists = !!group
+    const adminExists = !!admin
+    const userIsMember = !!member
+    const sameUserRoleInGroup = member && member.myRoleInGroup === roleInGroup
+    const userIsOwner = member && ['owner'].includes(member.myRoleInGroup)
+    const adminIsAdmin = admin && ['admin'].includes(admin.myRoleInGroup)
+    const adminCanSetRole = ['pending', 'usual', 'admin'].includes(roleInGroup)
+    const adminIsOwner = admin && ['owner'].includes(admin.myRoleInGroup)
+    const ownerCanSetRole = ['pending', 'usual', 'admin', 'owner'].includes(roleInGroup)
     return (
-      !!group &&
-      !!admin &&
-      (!member ||
-        (!!member &&
-          (member.myRoleInGroup === roleInGroup || !['owner'].includes(member.myRoleInGroup)))) &&
-      ((['admin'].includes(admin.myRoleInGroup) &&
-        ['pending', 'usual', 'admin'].includes(roleInGroup)) ||
-        (['owner'].includes(admin.myRoleInGroup) &&
-          ['pending', 'usual', 'admin', 'owner'].includes(roleInGroup)))
+      groupExists &&
+      adminExists &&
+      (!userIsMember || (userIsMember && (sameUserRoleInGroup || !userIsOwner))) &&
+      ((adminIsAdmin && adminCanSetRole) || (adminIsOwner && ownerCanSetRole))
     )
   } catch (error) {
     throw new Error(error)