From 7b858311766f5ee1298788ffe010972b29821be4 Mon Sep 17 00:00:00 2001
From: Sae126V <saiteja-reddy.vennapusa@stfc.ac.uk>
Date: Fri, 8 Sep 2023 12:29:30 +0000
Subject: [PATCH] [GT-182] Add restriction on who can create SG's

---
 .../service_group/add_service_group.php          | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/htdocs/web_portal/controllers/service_group/add_service_group.php b/htdocs/web_portal/controllers/service_group/add_service_group.php
index 9f5d46455..d7277c92c 100644
--- a/htdocs/web_portal/controllers/service_group/add_service_group.php
+++ b/htdocs/web_portal/controllers/service_group/add_service_group.php
@@ -22,6 +22,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
   /*====================================================== */
+use Exception;
+
 require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
 require_once __DIR__ . '/../../components/Get_User_Principle.php';
 require_once __DIR__ . '/../utils.php';
@@ -74,6 +76,20 @@ function draw($user) {
             throw new \Exception("Unregistered users can't create service groups.");
         }
 
+        $hasAdminCredentials = $user->isAdmin();
+        $roleService = \Factory::getRoleService();
+        $userRoles = $roleService->getUserRoles($user);
+
+        $isUserValid = $hasAdminCredentials ? true : !empty($userRoles);
+
+        if (!$isUserValid) {
+            throw new Exception(
+                "You do not have permission to add a new "
+                . "Service Group. To add a new Service Group, you require "
+                . "at least one role assigned over an entity in GOCDB."
+            );
+        }
+
         // can user assign reserved scopes ?
         $disableReservedScopes = true;
         if ($user->isAdmin()) {