From 5e4c172c2f57168ceb22f933508876e8937251ad Mon Sep 17 00:00:00 2001
From: Cameron <e107inc@gmail.com>
Date: Fri, 1 Dec 2017 17:00:02 -0800
Subject: [PATCH] Issue #2883 Permission fixes.

---
 e107_admin/administrator.php                  |  2 +-
 e107_admin/auth.php                           |  5 ++++
 e107_admin/users.php                          | 13 +++++++----
 .../shortcodes/batch/admin_shortcodes.php     |  6 ++---
 e107_handlers/sitelinks_class.php             | 23 +++++++++++--------
 signup.php                                    |  2 +-
 6 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/e107_admin/administrator.php b/e107_admin/administrator.php
index 77697d9ec..48b892e46 100644
--- a/e107_admin/administrator.php
+++ b/e107_admin/administrator.php
@@ -156,7 +156,7 @@ function show_admins()
 						</td>
 						<td class='center'>
 		";
-		if($row['user_id'] != "1")
+		if($row['user_id'] != "1" && intval($row['user_id']) !== USERID)
 		{
     		$text .= "
 							".$frm->submit_image("edit_admin[{$row['user_id']}]", 'edit', 'edit', LAN_EDIT)."
diff --git a/e107_admin/auth.php b/e107_admin/auth.php
index 2519d79a7..0f3f09154 100644
--- a/e107_admin/auth.php
+++ b/e107_admin/auth.php
@@ -56,6 +56,11 @@ if(USER && !getperms('0') && vartrue($pref['multilanguage']) && !getperms(e_LANG
 	$tmp = explode(".",ADMINPERMS);
 	foreach($tmp as $ln)
 	{
+		if(strlen($ln) < 3) // not a language perm.
+		{
+			continue;
+		}
+
 		if($lng->isValid($ln))
 		{
 			$redirect = deftrue("MULTILANG_SUBDOMAIN") ? $lng->subdomainUrl($ln) : e_SELF."?elan=".$ln;
diff --git a/e107_admin/users.php b/e107_admin/users.php
index a2e2b20a5..393eb02c9 100644
--- a/e107_admin/users.php
+++ b/e107_admin/users.php
@@ -2379,7 +2379,12 @@ class users_admin_form_ui extends e_admin_form_ui
 //		$uid = $this->getController()->getModel()->get('user_id');
 		$perms = $this->getController()->getModel()->get('user_perms');
 
-		if($mode == 'read'  || (str_replace(".","",$perms) == '0'))
+		if($mode == 'filter' && getperms('3'))
+		{
+			return array(0=>LAN_NO, '1'=>LAN_YES);
+		}
+
+		if($mode == 'read'  || (str_replace(".","",$perms) == '0') || !getperms('3'))
 		{
 			return $this->renderValue('user_admin',$curval,$att);
 		}
@@ -2390,6 +2395,7 @@ class users_admin_form_ui extends e_admin_form_ui
 		}
 
 
+
 	}
 
 
@@ -2443,10 +2449,9 @@ class users_admin_form_ui extends e_admin_form_ui
 		$perms = $this->getController()->getModel()->get('user_perms');
 		$uid = $this->getController()->getModel()->get('user_id');
 
-		if($mode == 'read' || (str_replace(".","",$perms) == '0' && $uid == USERID))
+		if($mode == 'read' || (str_replace(".","",$perms) == '0' && $uid == USERID) || !getperms('3'))
 		{
-
-			return e107::getUserPerms()->renderPerms($curval,$uid);		
+			return e107::getUserPerms()->renderPerms($curval,$uid);
 		}
 		if($mode == 'write')
 		{
diff --git a/e107_core/shortcodes/batch/admin_shortcodes.php b/e107_core/shortcodes/batch/admin_shortcodes.php
index 8cd9de348..fb02909cb 100644
--- a/e107_core/shortcodes/batch/admin_shortcodes.php
+++ b/e107_core/shortcodes/batch/admin_shortcodes.php
@@ -1964,7 +1964,8 @@ Inverse 	10 	<span class="badge badge-inverse">10</span>
 		$active = '';
 		foreach ($array_functions as $key => $subitem)
 		{
-			if(!empty($subitem[3]) && !getperms($subitem[3]))
+
+			if(isset($subitem[3]) && $subitem[3] !== false && !getperms($subitem[3]))
 			{
 				continue;
 			}
@@ -2077,8 +2078,7 @@ Inverse 	10 	<span class="badge badge-inverse">10</span>
 
 		// ------------------------------------------------------------------
 
-	//	 print_a($menu_vars);
-
+		//	e107::getDebug()->log($menu_vars);
 
 
 		return e107::getNav()->admin('', $active, $menu_vars, $$tmpl, false, false);
diff --git a/e107_handlers/sitelinks_class.php b/e107_handlers/sitelinks_class.php
index ef755e93c..ebb9414eb 100644
--- a/e107_handlers/sitelinks_class.php
+++ b/e107_handlers/sitelinks_class.php
@@ -895,14 +895,15 @@ i.e-cat_users-32{ background-position: -555px 0; width: 32px; height: 32px; }
 		
 			32 => array(e_ADMIN_ABS.'eurl.php', 		ADLAN_159,	ADLAN_160,	'K', 1, E_16_EURL, E_32_EURL),
 			33 => array(e_ADMIN_ABS.'plugin.php', 		ADLAN_98,	ADLAN_99,	'Z', 5 , E_16_PLUGMANAGER, E_32_PLUGMANAGER),
-			34 => array(e_ADMIN_ABS.'docs.php', 		ADLAN_12,	ADLAN_13,	'',	20, E_16_DOCS, E_32_DOCS),
+			34 => array(e_ADMIN_ABS.'docs.php', 		ADLAN_12,	ADLAN_13,	false,	20, E_16_DOCS, E_32_DOCS),
 		// TODO System Info.
 		//	35 => array('#TODO', 'System Info', 'System Information', '', 20, '', ''),
-			36 => array(e_ADMIN_ABS.'credits.php', LAN_CREDITS, LAN_CREDITS, '', 20, E_16_E107, E_32_E107),
+			36 => array(e_ADMIN_ABS.'credits.php', LAN_CREDITS, LAN_CREDITS, false, 20, E_16_E107, E_32_E107),
 		//	37 => array(e_ADMIN.'custom_field.php', ADLAN_161, ADLAN_162, 'U', 4, E_16_CUSTOMFIELD, E_32_CUSTOMFIELD),
 			38 => array(e_ADMIN_ABS.'comment.php', LAN_COMMENTMAN, LAN_COMMENTMAN, 'B', 5, E_16_COMMENT, E_32_COMMENT),
-		);	
-		
+		);
+
+
 		if($mode == 'legacy')
         {
             return $array_functions; // Old BC format.      
@@ -910,6 +911,8 @@ i.e-cat_users-32{ background-position: -555px 0; width: 32px; height: 32px; }
 
 		$newarray = asortbyindex($array_functions, 1);
     	$array_functions_assoc = $this->convert_core_icons($newarray);
+
+
         
        if($mode == 'core') // Core links only. 
         {          
@@ -937,7 +940,7 @@ i.e-cat_users-32{ background-position: -555px 0; width: 32px; height: 32px; }
                 $array_functions_assoc[$key] = $val;   
             }
         }
-    
+
         return $array_functions_assoc;
     }
 
@@ -1318,10 +1321,12 @@ i.e-cat_users-32{ background-position: -555px 0; width: 32px; height: 32px; }
 			unset($temp);
 		}
 	
-		if(!is_array($e107_vars))
+		if(empty($e107_vars))
 		{
-			return;	
+			return null;
 		}
+
+
 	
 		$kpost = '';
 		$text = '';
@@ -1353,7 +1358,7 @@ i.e-cat_users-32{ background-position: -555px 0; width: 32px; height: 32px; }
 
 		foreach (array_keys($e107_vars) as $act)
 		{
-			if (isset($e107_vars[$act]['perm']) && !getperms($e107_vars[$act]['perm'])) // check perms first.
+			if (isset($e107_vars[$act]['perm']) && $e107_vars[$act]['perm'] !== false && !getperms($e107_vars[$act]['perm'])) // check perms first.
 			{
 				continue;
 			}
@@ -1475,7 +1480,7 @@ i.e-cat_users-32{ background-position: -555px 0; width: 32px; height: 32px; }
 				$START_SUB = $tmpl['start_sub'];	
 			}		
 	
-			if (vartrue($e107_vars[$act]['sub']))
+			if(!empty($e107_vars[$act]['sub']))
 			{
 				$replace[6] = $id ? " id='eplug-nav-{$rid}-sub'" : '';
 				$replace[7] = ' '.varset($e107_vars[$act]['link_class'], 'e-expandit');
diff --git a/signup.php b/signup.php
index 58970aae6..9c3b6f053 100644
--- a/signup.php
+++ b/signup.php
@@ -815,7 +815,7 @@ if (isset($_POST['register']) && intval($pref['user_reg']) === 1)
 		if (vartrue($pref['allowEmailLogin']))
 		{  // Need to create separate password for email login
 			//$allData['data']['user_prefs'] = serialize(array('email_password' => $userMethods->HashPassword($savePassword, $allData['data']['user_email'])));
-			$allData['data']['user_prefs'] = e107::getArrayStorage()->serialize(array('email_password' => $userMethods->HashPassword($savePassword, $allData['data']['user_email'])));
+			$allData['data']['user_prefs'] = e107::serialize(array('email_password' => $userMethods->HashPassword($savePassword, $allData['data']['user_email'])));
 		}
 
 		$allData['data']['user_join'] = time();