FOUR-31148: Fix group permission authorization

[eiresendez]

Issue & Reproduction Steps

A user without direct permissions but with inherited group permissions for viewing, creating, editing, and deleting groups can open Admin > Groups > Edit Group > Group Permissions. When that user attempts to assign all permissions to a group and save, the UI shows "This action is unauthorized" because PUT /api/1.0/permissions returns 403.

Solution

• Move permission update authorization from the route middleware into PermissionController::update so it checks the requested target entity.
• Require edit-users when updating user permissions and edit-groups when updating group permissions.
• Validate that permission update requests include exactly one target, either user_id or group_id.
• Add feature coverage for inherited group permission saves, denied user permission saves, denied group permission saves, and invalid target payloads.

How to Test

• vendor/bin/phpunit tests/Feature/Api/PermissionsTest.php
• Manual check: log in as a non-admin user with inherited edit-groups but no edit-users, open Admin > Groups > Edit Group > Group Permissions, assign permissions, and save successfully.

Related Tickets & Packages

• https://processmaker.atlassian.net/browse/FOUR-31148

ci:deploy

.

[eiresendez]

Hi @CarliPinell when you have a chance, could you please take a look at this PR?

It’s not a high priority ticket — just part of the Maniac Monday issues, so no rush.
Thanks!

cc: @sanjacornelius

[processmaker-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[Kookster310]

QA server K8S was successfully deployed https://ci-9756d86e2f.engk8s.processmaker.net