From 75d8ab1a4c3ef19e6cd7eac240f33d684c8840ec Mon Sep 17 00:00:00 2001
From: konradoboza <konrad.oboza@ibexa.co>
Date: Thu, 22 Feb 2024 15:13:32 +0100
Subject: [PATCH 1/2] IBX-7809: Fixed passing `locationId` instead of
 `contentId` when creating `UserMetadata` criterion from
 `UserGroupLimitationType` level

---
 .../Core/Limitation/UserGroupLimitationType.php    | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/eZ/Publish/Core/Limitation/UserGroupLimitationType.php b/eZ/Publish/Core/Limitation/UserGroupLimitationType.php
index 8b7efd422c..8b2d380733 100644
--- a/eZ/Publish/Core/Limitation/UserGroupLimitationType.php
+++ b/eZ/Publish/Core/Limitation/UserGroupLimitationType.php
@@ -6,6 +6,7 @@
  */
 namespace eZ\Publish\Core\Limitation;
 
+use eZ\Publish\API\Repository\Exceptions\NotFoundException;
 use eZ\Publish\API\Repository\Values\Content\Content;
 use eZ\Publish\API\Repository\Values\Content\ContentCreateStruct;
 use eZ\Publish\API\Repository\Values\Content\ContentInfo;
@@ -189,10 +190,15 @@ public function getCriterion(APILimitationValue $value, APIUserReference $curren
         }
 
         $groupIds = [];
-        $currentUserLocations = $this->persistence->locationHandler()->loadLocationsByContent($currentUser->getUserId());
-        if (!empty($currentUserLocations)) {
-            foreach ($currentUserLocations as $currentUserLocation) {
-                $groupIds[] = $currentUserLocation->parentId;
+        $locationHandler = $this->persistence->locationHandler();
+        $currentUserLocations = $locationHandler->loadLocationsByContent($currentUser->getUserId());
+        foreach ($currentUserLocations as $currentUserLocation) {
+            try {
+                $parentLocation = $locationHandler->load($currentUserLocation->parentId);
+                $groupIds[] = $parentLocation->contentId;
+            } catch (NotFoundException $e) {
+                // there is no need for any action - carrying on with checking other user locations
+                continue;
             }
         }
 

From 001e9e6d99e364ac1e4bea55f535d74d5f05678f Mon Sep 17 00:00:00 2001
From: konradoboza <konrad.oboza@ibexa.co>
Date: Fri, 23 Feb 2024 12:17:58 +0100
Subject: [PATCH 2/2] added integration test coverage

---
 .../Limitation/UserGroupLimitationTest.php    | 93 +++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 tests/integration/Core/Limitation/UserGroupLimitationTest.php

diff --git a/tests/integration/Core/Limitation/UserGroupLimitationTest.php b/tests/integration/Core/Limitation/UserGroupLimitationTest.php
new file mode 100644
index 0000000000..38fbaf1b74
--- /dev/null
+++ b/tests/integration/Core/Limitation/UserGroupLimitationTest.php
@@ -0,0 +1,93 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\Tests\Integration\Core\Limitation;
+
+use eZ\Publish\API\Repository\Tests\Limitation\PermissionResolver\BaseLimitationIntegrationTest;
+use eZ\Publish\API\Repository\Values\Content\LocationQuery;
+use eZ\Publish\API\Repository\Values\Content\Query\Criterion;
+use eZ\Publish\API\Repository\Values\Content\Search\SearchHit;
+use eZ\Publish\API\Repository\Values\User\Limitation\ContentTypeLimitation;
+use eZ\Publish\API\Repository\Values\User\Limitation\LocationLimitation;
+use eZ\Publish\API\Repository\Values\User\Limitation\UserGroupLimitation;
+
+final class UserGroupLimitationTest extends BaseLimitationIntegrationTest
+{
+    private const FOLDER_CONTENT_TYPE_ID = 1;
+
+    public function testHasUserWithUserGroupLimitationAccessToCreatedLocations(): void
+    {
+        $repository = $this->getRepository();
+
+        $user = $this->createUserWithPolicies('test_user', $this->getPermissions());
+        $userGroups = $repository->getUserService()->loadUserGroupsOfUser($user);
+        $userGroupIds = array_column($userGroups, 'id');
+
+        $repository->getPermissionResolver()->setCurrentUserReference($user);
+
+        $parentFolder = $this->createFolder(
+            ['eng-US' => 'Parent folder'],
+            2
+        );
+        $childFolder = $this->createFolder(
+            ['eng-US' => 'Child folder'],
+            $parentFolder->contentInfo->getMainLocationId()
+        );
+
+        $this->refreshSearch($repository);
+
+        $query = new LocationQuery();
+        $query->filter = new Criterion\LogicalAnd([
+            new Criterion\ContentTypeId(self::FOLDER_CONTENT_TYPE_ID),
+            new Criterion\UserMetadata('group', 'in', $userGroupIds),
+        ]);
+
+        $results = $repository->getSearchService()->findLocations($query)->searchHits;
+        $resultLocationIds = array_map(static function (SearchHit $hit): int {
+            /** @var \eZ\Publish\API\Repository\Values\Content\Location $location */
+            $location = $hit->valueObject;
+
+            return $location->id;
+        }, $results);
+
+        self::assertContains($parentFolder->contentInfo->getMainLocationId(), $resultLocationIds);
+        self::assertContains($childFolder->contentInfo->getMainLocationId(), $resultLocationIds);
+    }
+
+    /**
+     * @return array<array<string, mixed>>
+     */
+    private function getPermissions(): array
+    {
+        return [
+            [
+                'module' => 'content',
+                'function' => 'create',
+            ],
+            [
+                'module' => 'content',
+                'function' => 'publish',
+            ],
+            [
+                'module' => 'content',
+                'function' => 'read',
+                'limitations' => [
+                    new LocationLimitation(['limitationValues' => [2]]),
+                ],
+            ],
+            [
+                'module' => 'content',
+                'function' => 'read',
+                'limitations' => [
+                    new ContentTypeLimitation(['limitationValues' => [self::FOLDER_CONTENT_TYPE_ID]]),
+                    new UserGroupLimitation(['limitationValues' => [1]]),
+                ],
+            ],
+        ];
+    }
+}