kitodo · solth · Oct 30, 2024
diff --git a/Kitodo/src/main/java/org/kitodo/production/controller/SecurityAccessController.java b/Kitodo/src/main/java/org/kitodo/production/controller/SecurityAccessController.java
@@ -956,6 +956,24 @@ public boolean hasAuthorityGlobalToAddOrEditRole() {
         return securityAccessService.hasAuthorityGlobalToAddOrEditRole();
     }
 
+    /**
+     * Checks if current user has global authority for editing roles.
+     *
+     * @return true if current user has global authority for editing roles
+     */
+    public boolean hasAuthorityGlobalToEditRole() {
+        return securityAccessService.hasAuthorityGlobalToEditRole();
+    }
+
+    /**
+     * Checks if current user has global authority for viewing a role.
+     *
+     * @return true if current user has global authority for editing a role
+     */
+    public boolean hasAuthorityGlobalToViewRole() {
+        return securityAccessService.hasAuthorityGlobalToViewRole();
+    }
+
     /**
      * Checks if current user has authority to configure displayed columns in list
      * views.

diff --git a/Kitodo/src/main/java/org/kitodo/production/services/security/SecurityAccessService.java b/Kitodo/src/main/java/org/kitodo/production/services/security/SecurityAccessService.java
@@ -889,6 +889,25 @@ public boolean hasAuthorityGlobalToAddOrEditRole() {
         return hasAnyAuthorityGlobal("addRole, editRole");
     }
 
+    /**
+     * Checks if current user has global authority for editing a role.
+     *
+     * @return true if current user has global authority for editing a role
+     */
+    public boolean hasAuthorityGlobalToEditRole() {
+        return hasAnyAuthorityGlobal("editRole");
+    }
+
+    /**
+     * Checks if current user has global authority for viewing a role.
+     * Having the authority to edit a role also grants permission to view it inherently.
+     *
+     * @return true if current user has global authority for editing a role
+     */
+    public boolean hasAuthorityGlobalToViewRole() {
+        return hasAnyAuthorityGlobal("viewRole, editRole");
+    }
+
     /**
      * Check if current user has global authority to view role list. It returns true
      * if user has "viewAllRoles" authority globally.

diff --git a/Kitodo/src/main/webapp/WEB-INF/templates/includes/roleEdit/details.xhtml b/Kitodo/src/main/webapp/WEB-INF/templates/includes/roleEdit/details.xhtml
@@ -42,18 +42,20 @@
             </p:row>
             <p:row rendered="#{not SecurityAccessController.hasAuthorityGlobalToAddOrEditRole()}" />
         </p:panelGrid>
-        <p:panelGrid columns="2" layout="grid">
-            <p:row>
+        <p:panelGrid columns="#{SecurityAccessController.hasAuthorityGlobalToViewRole() ? 2 : 1}"
+                     layout="grid">
+            <p:row rendered="#{SecurityAccessController.hasAuthorityGlobalToViewRole()}">
                 <!--global authorities-->
                 <h:panelGroup>
                     <h3 style="margin-bottom: 20px">
                         <h:outputText value="#{msgs.globalAssignable}"/>
                     </h3>
+                    <!--@elvariable id="authority" type="org.kitodo.data.database.beans.Authority"-->
                     <p:pickList id="authoritiesGlobalPick"
                                 showSourceFilter="true" showTargetFilter="true"
                                 filterMatchMode="contains"
                                 responsive="true"
-                                disabled="#{isViewMode}"
+                                disabled="#{not SecurityAccessController.hasAuthorityGlobalToEditRole() or isViewMode}"
                                 value="#{RoleForm.globalAssignableAuthorities}"
                                 converter="#{authorityConverter}"
                                 var="authority"
@@ -70,7 +72,7 @@
                 <!--client authorities-->
                 <h:panelGroup>
                     <h3 style="margin-bottom: 20px">
-                        <h:outputText value="#{msgs.clientAssignable}"/>
+                        <h:outputText value="#{SecurityAccessController.hasAuthorityGlobalToViewRole() ? msgs.clientAssignable : msgs.authorities}"/>
                     </h3>
                     <p:pickList id="authoritiesClientPick"
                                 value="#{RoleForm.clientAssignableAuthorities}"