From defc70e656b756d0e997fbbb0ad629e81134e43a Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Mon, 3 Feb 2020 12:53:41 +0200
Subject: [PATCH] Fixed some admin related ACL issues

---
 .../Common/Flex/UserGroups/UserGroupCollection.php     |  1 +
 system/src/Grav/Common/Twig/TwigExtension.php          | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/system/src/Grav/Common/Flex/UserGroups/UserGroupCollection.php b/system/src/Grav/Common/Flex/UserGroups/UserGroupCollection.php
index ce23f0bbb..10c19358d 100644
--- a/system/src/Grav/Common/Flex/UserGroups/UserGroupCollection.php
+++ b/system/src/Grav/Common/Flex/UserGroups/UserGroupCollection.php
@@ -35,6 +35,7 @@ class UserGroupCollection extends FlexCollection
     public function authorize(string $action, string $scope = null): ?bool
     {
         $authorized = null;
+        /** @var UserGroupObject $object */
         foreach ($this as $object) {
             $auth = $object->authorize($action, $scope);
             if ($auth === true) {
diff --git a/system/src/Grav/Common/Twig/TwigExtension.php b/system/src/Grav/Common/Twig/TwigExtension.php
index 3239f161e..defbfbf66 100644
--- a/system/src/Grav/Common/Twig/TwigExtension.php
+++ b/system/src/Grav/Common/Twig/TwigExtension.php
@@ -1028,8 +1028,14 @@ class TwigExtension extends AbstractExtension implements GlobalsInterface
      */
     public function authorize($action)
     {
-        /** @var UserInterface|null $user */
-        $user = $this->grav['user'] ?? null;
+        // Admin can use Flex users even if the site does not; make sure we use the right version of the user.
+        $admin = $this->grav['admin'] ?? null;
+        if ($admin) {
+            $user = $admin->user;
+        } else {
+            /** @var UserInterface|null $user */
+            $user = $this->grav['user'] ?? null;
+        }
 
         if (!$user) {
             return false;