From 018fbd3771a34eaf9140ccefcce30831835668ec Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Tue, 11 Aug 2020 20:37:15 +0200
Subject: [PATCH] fix permission handling in routing and permission check

---
 Account/PermissionAbstract.php | 5 +++--
 Router/WebRouter.php           | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Account/PermissionAbstract.php b/Account/PermissionAbstract.php
index dbcc8c8b8..bfef2e13c 100644
--- a/Account/PermissionAbstract.php
+++ b/Account/PermissionAbstract.php
@@ -407,13 +407,14 @@ class PermissionAbstract implements \JsonSerializable
         int $element = null,
         int $component = null
     ) {
-        return ($unit === null || $this->unit === null || $this->unit === $unit)
+        return $permission === PermissionType::NONE ||
+            (($unit === null || $this->unit === null || $this->unit === $unit)
             && ($app === null || $this->app === null || $this->app === $app)
             && ($module === null || $this->module === null || $this->module === $module)
             && ($type === null || $this->type === null || $this->type === $type)
             && ($element === null || $this->element === null || $this->element === $element)
             && ($component === null || $this->component === null || $this->component === $component)
-            && ($this->permission | $permission) === $this->permission;
+            && ($this->permission | $permission) === $this->permission);
     }
 
     /**
diff --git a/Router/WebRouter.php b/Router/WebRouter.php
index de8b82bea..81b726757 100644
--- a/Router/WebRouter.php
+++ b/Router/WebRouter.php
@@ -139,7 +139,7 @@ final class WebRouter implements RouterInterface
                     if ((isset($d['permission']) && $account === null)
                         || (isset($d['permission'])
                             && !$account->hasPermission(
-                                $d['permission']['type'] ?? null, $orgId, $app, $d['permission']['module'] ?? null, $d['permission']['state'] ?? null
+                                $d['permission']['type'] ?? 0, $d['permission']['unit'] ?? $orgId, $app, $d['permission']['module'] ?? null, $d['permission']['state'] ?? null
                             )
                         )
                     ) {