From 93d3c83670c71301abcf9e5108f6f2c6024ffaad Mon Sep 17 00:00:00 2001
From: frabacche <francesco.bacchelli@4science.com>
Date: Fri, 5 Apr 2024 11:26:14 +0200
Subject: [PATCH 1/2] DSC-1604 access by group: check subgroup with
 groupService.isMemeber

---
 .../content/security/CrisSecurityServiceImpl.java   | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/dspace-api/src/main/java/org/dspace/content/security/CrisSecurityServiceImpl.java b/dspace-api/src/main/java/org/dspace/content/security/CrisSecurityServiceImpl.java
index 99add81e862..4a166783422 100644
--- a/dspace-api/src/main/java/org/dspace/content/security/CrisSecurityServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/content/security/CrisSecurityServiceImpl.java
@@ -10,7 +10,6 @@
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.UUID;
 
@@ -192,9 +191,15 @@ private boolean hasAccessByGroup(Context context, EPerson user, List<String> gro
         }
 
         return groups.stream()
-                     .map(group -> findGroupByNameOrUUID(context, group))
-                     .filter(group -> Objects.nonNull(group))
-                     .anyMatch(group -> userGroups.contains(group) || isSpecialGroup(context, group));
+                .map(group -> findGroupByNameOrUUID(context, group))
+                .filter(group -> group != null)
+                .anyMatch(group -> {
+                    try {
+                        return groupService.isMember(context, user, group);
+                    } catch (SQLException e) {
+                        return false;
+                    }
+                });
     }
 
     private boolean isSpecialGroup(Context context, Group group) {

From d3878d172a755bff19f91ffadb6c92e605232ee6 Mon Sep 17 00:00:00 2001
From: frabacche <francesco.bacchelli@4science.com>
Date: Fri, 5 Apr 2024 11:53:24 +0200
Subject: [PATCH 2/2] DSC-1604 access by group: IT

---
 .../config/spring/api/edititem-service.xml    | 14 ++++++++++
 .../security/CrisSecurityServiceIT.java       | 27 +++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/dspace-api/src/test/data/dspaceFolder/config/spring/api/edititem-service.xml b/dspace-api/src/test/data/dspaceFolder/config/spring/api/edititem-service.xml
index 787bb5ebdd5..12dedb15088 100644
--- a/dspace-api/src/test/data/dspaceFolder/config/spring/api/edititem-service.xml
+++ b/dspace-api/src/test/data/dspaceFolder/config/spring/api/edititem-service.xml
@@ -90,6 +90,20 @@
                             </property>
                             <property name="submissionDefinition" value="traditional-with-custom-url" />
                         </bean>
+                        <bean class="org.dspace.content.edit.EditItemMode">
+                            <property name="name" value="RESEARCHERS" />
+                            <property name="security">
+                                <value type="org.dspace.content.security.CrisSecurity">
+                                    GROUP
+                                </value>
+                            </property>
+                            <property name="groups">
+                                <list>
+                                    <value>Researchers</value>
+                                </list>
+                            </property>
+                            <property name="submissionDefinition" value="publication-edit" />
+                        </bean>
                         <bean class="org.dspace.content.edit.EditItemMode">
                             <property name="name" value="MODE-TEST-HIDDEN" />
                             <property name="security">
diff --git a/dspace-api/src/test/java/org/dspace/content/security/CrisSecurityServiceIT.java b/dspace-api/src/test/java/org/dspace/content/security/CrisSecurityServiceIT.java
index 2fc14dbf034..782f521d799 100644
--- a/dspace-api/src/test/java/org/dspace/content/security/CrisSecurityServiceIT.java
+++ b/dspace-api/src/test/java/org/dspace/content/security/CrisSecurityServiceIT.java
@@ -310,6 +310,33 @@ public void testHasAccessWithSubmitterGroupConfig() throws SQLException, Authori
         assertThat(crisSecurityService.hasAccess(context, item, anotherSubmitter, accessMode), is(true));
     }
 
+    @Test
+    public void testHasAccessWithGroupChildOfResearchersConfig() throws SQLException {
+        context.turnOffAuthorisationSystem();
+        Group researchersMainGroup = GroupBuilder.createGroup(context)
+                .withName("Researchers")
+                .build();
+        Group researcherSubGroup = GroupBuilder.createGroup(context)
+                .withName("Researcher")
+                .withParent(researchersMainGroup)
+                .build();
+        EPerson firstUser = EPersonBuilder.createEPerson(context)
+                .withEmail("user@mail.it")
+                .withGroupMembership(researcherSubGroup)
+                .build();
+        Item item = ItemBuilder.createItem(context, collection)
+                .withTitle("Test item")
+                .withDspaceObjectOwner("Owner", owner.getID().toString())
+                //.withCrisOwner("Owner", owner.getID().toString())
+                .build();
+        context.restoreAuthSystemState();
+        AccessItemMode accessMode = buildAccessItemMode(CrisSecurity.GROUP);
+        when(accessMode.getGroups()).thenReturn(List.of("Researcher"));
+        assertThat(crisSecurityService.hasAccess(context, item, firstUser, accessMode), is(true));
+        assertThat(crisSecurityService.hasAccess(context, item, eperson, accessMode), is(false));
+        assertThat(crisSecurityService.hasAccess(context, item, owner, accessMode), is(false));
+    }
+
     @Test
     public void testHasAccessWithGroupConfig() throws SQLException, AuthorizeException {