From 1eb8aa3eb37be8de9230bf5f4dd8e82e71f4f421 Mon Sep 17 00:00:00 2001
From: Leo Feyer <github@contao.org>
Date: Thu, 5 Jan 2017 17:19:10 +0100
Subject: [PATCH] Correctly add new resources to the user/group permissions
 (see #8583).

---
 .../contao/dca/tl_newsletter_channel.php      | 37 ++++++++++---------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/src/Resources/contao/dca/tl_newsletter_channel.php b/src/Resources/contao/dca/tl_newsletter_channel.php
index 0d67f8cec1..5e677c9212 100644
--- a/src/Resources/contao/dca/tl_newsletter_channel.php
+++ b/src/Resources/contao/dca/tl_newsletter_channel.php
@@ -264,45 +264,48 @@ public function checkPermission()
 
 					if (is_array($arrNew['tl_newsletter_channel']) && in_array(Input::get('id'), $arrNew['tl_newsletter_channel']))
 					{
-						// Add permissions on user level
-						if ($this->User->inherit == 'custom' || !$this->User->groups[0])
+						$blnDone = false;
+
+						// Try to add the permissions on group level
+						if ($this->User->inherit != 'custom' && !empty($this->User->groups[0]))
 						{
-							$objUser = $this->Database->prepare("SELECT newsletters, newsletterp FROM tl_user WHERE id=?")
+							$objGroup = $this->Database->prepare("SELECT newsletters, newsletterp FROM tl_user_group WHERE id=?")
 													   ->limit(1)
-													   ->execute($this->User->id);
+													   ->execute($this->User->groups[0]);
 
-							$arrNewsletterp = deserialize($objUser->newsletterp);
+							$arrNewsletterp = deserialize($objGroup->newsletterp);
 
 							if (is_array($arrNewsletterp) && in_array('create', $arrNewsletterp))
 							{
-								$arrNewsletters = deserialize($objUser->newsletters);
+								$blnDone = true;
+								$arrNewsletters = deserialize($objGroup->newsletters, true);
 								$arrNewsletters[] = Input::get('id');
 
-								$this->Database->prepare("UPDATE tl_user SET newsletters=? WHERE id=?")
-											   ->execute(serialize($arrNewsletters), $this->User->id);
+								$this->Database->prepare("UPDATE tl_user_group SET newsletters=? WHERE id=?")
+											   ->execute(serialize($arrNewsletters), $this->User->groups[0]);
 							}
 						}
 
-						// Add permissions on group level
-						elseif ($this->User->groups[0] > 0)
+						// Add permissions on user level
+						if (!$blnDone)
 						{
-							$objGroup = $this->Database->prepare("SELECT newsletters, newsletterp FROM tl_user_group WHERE id=?")
+							$objUser = $this->Database->prepare("SELECT newsletters, newsletterp FROM tl_user WHERE id=?")
 													   ->limit(1)
-													   ->execute($this->User->groups[0]);
+													   ->execute($this->User->id);
 
-							$arrNewsletterp = deserialize($objGroup->newsletterp);
+							$arrNewsletterp = deserialize($objUser->newsletterp);
 
 							if (is_array($arrNewsletterp) && in_array('create', $arrNewsletterp))
 							{
-								$arrNewsletters = deserialize($objGroup->newsletters);
+								$arrNewsletters = deserialize($objUser->newsletters, true);
 								$arrNewsletters[] = Input::get('id');
 
-								$this->Database->prepare("UPDATE tl_user_group SET newsletters=? WHERE id=?")
-											   ->execute(serialize($arrNewsletters), $this->User->groups[0]);
+								$this->Database->prepare("UPDATE tl_user SET newsletters=? WHERE id=?")
+											   ->execute(serialize($arrNewsletters), $this->User->id);
 							}
 						}
 
-						// Add new element to the user object
+						// Add the new element to the user object
 						$root[] = Input::get('id');
 						$this->User->newsletter = $root;
 					}