From ca240134707fea71affd3b46c5549edff358bffc Mon Sep 17 00:00:00 2001
From: rxu <rxu@mail.ru>
Date: Tue, 19 Oct 2021 23:24:43 +0700
Subject: [PATCH] [ticket/16895] Fix role removal for migrator permission tool

PHPBB3-16895
---
 phpBB/language/en/migrator.php               |  1 +
 phpBB/phpbb/db/migration/tool/permission.php | 72 ++++++++++++++++----
 2 files changed, 61 insertions(+), 12 deletions(-)

diff --git a/phpBB/language/en/migrator.php b/phpBB/language/en/migrator.php
index 8a82d40be5..5fdee79365 100644
--- a/phpBB/language/en/migrator.php
+++ b/phpBB/language/en/migrator.php
@@ -78,4 +78,5 @@ $lang = array_merge($lang, array(
 	'PERMISSION_NOT_EXIST'				=> 'The permission setting "%s" unexpectedly does not exist.',
 
 	'ROLE_NOT_EXIST'					=> 'The permission role "%s" unexpectedly does not exist.',
+	'ROLE_NOT_EXIST_ASSIGNED'			=> 'The permission role assigned to group "%1$s" unexpectedly does not exist. Role id: "%2$s"',
 ));
diff --git a/phpBB/phpbb/db/migration/tool/permission.php b/phpBB/phpbb/db/migration/tool/permission.php
index 6d19ad94c9..0b1a812bf9 100644
--- a/phpBB/phpbb/db/migration/tool/permission.php
+++ b/phpBB/phpbb/db/migration/tool/permission.php
@@ -49,6 +49,12 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 		$this->auth = $auth;
 		$this->phpbb_root_path = $phpbb_root_path;
 		$this->php_ext = $php_ext;
+
+		if (!class_exists('auth_admin'))
+		{
+			include($this->phpbb_root_path . 'includes/acp/auth.' . $this->php_ext);
+		}
+		$this->auth_admin = new \auth_admin();
 	}
 
 	/**
@@ -118,12 +124,6 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 		// We've added permissions, so set to true to notify the user.
 		$this->permissions_added = true;
 
-		if (!class_exists('auth_admin'))
-		{
-			include($this->phpbb_root_path . 'includes/acp/auth.' . $this->php_ext);
-		}
-		$auth_admin = new \auth_admin();
-
 		// We have to add a check to see if the !$global (if global, local, and if local, global) permission already exists.  If it does, acl_add_option currently has a bug which would break the ACL system, so we are having a work-around here.
 		if ($this->exists($auth_option, !$global))
 		{
@@ -140,19 +140,19 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 		{
 			if ($global)
 			{
-				$auth_admin->acl_add_option(array('global' => array($auth_option)));
+				$this->auth_admin->acl_add_option(array('global' => array($auth_option)));
 			}
 			else
 			{
-				$auth_admin->acl_add_option(array('local' => array($auth_option)));
+				$this->auth_admin->acl_add_option(array('local' => array($auth_option)));
 			}
 		}
 
 		// The permission has been added, now we can copy it if needed
-		if ($copy_from && isset($auth_admin->acl_options['id'][$copy_from]))
+		if ($copy_from && isset($this->auth_admin->acl_options['id'][$copy_from]))
 		{
-			$old_id = $auth_admin->acl_options['id'][$copy_from];
-			$new_id = $auth_admin->acl_options['id'][$auth_option];
+			$old_id = $this->auth_admin->acl_options['id'][$copy_from];
+			$new_id = $this->auth_admin->acl_options['id'][$auth_option];
 
 			$tables = array(ACL_GROUPS_TABLE, ACL_ROLES_DATA_TABLE, ACL_USERS_TABLE);
 
@@ -177,7 +177,7 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 				}
 			}
 
-			$auth_admin->acl_clear_prefetch();
+			$this->auth_admin->acl_clear_prefetch();
 		}
 	}
 
@@ -327,6 +327,45 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 			return;
 		}
 
+		// Get the role auth settings we need to re-set...
+		$sql = 'SELECT o.auth_option, r.auth_setting
+			FROM ' . ACL_ROLES_DATA_TABLE . ' r, ' . ACL_OPTIONS_TABLE . ' o
+			WHERE o.auth_option_id = r.auth_option_id
+				AND r.role_id = ' . $role_id;
+		$result = $this->db->sql_query($sql);
+
+		while ($row = $this->db->sql_fetchrow($result))
+		{
+			$auth_settings[$row['auth_option']] = $row['auth_setting'];
+		}
+		$this->db->sql_freeresult($result);
+
+		// Get role assignments
+		$hold_ary = $this->auth_admin->get_role_mask($role_id);
+
+		// Re-assign permissions
+		foreach ($hold_ary as $forum_id => $forum_ary)
+		{
+			if (isset($forum_ary['users']))
+			{
+				$this->auth_admin->acl_set('user', $forum_id, $forum_ary['users'], $auth_settings, 0, false);
+			}
+
+			if (isset($forum_ary['groups']))
+			{
+				$this->auth_admin->acl_set('group', $forum_id, $forum_ary['groups'], $auth_settings, 0, false);
+			}
+		}
+
+		// Remove role from users and groups just to be sure (happens through acl_set)
+		$sql = 'DELETE FROM ' . ACL_USERS_TABLE . '
+			WHERE auth_role_id = ' . $role_id;
+		$this->db->sql_query($sql);
+
+		$sql = 'DELETE FROM ' . ACL_GROUPS_TABLE . '
+			WHERE auth_role_id = ' . $role_id;
+		$this->db->sql_query($sql);
+
 		$sql = 'DELETE FROM ' . ACL_ROLES_DATA_TABLE . '
 			WHERE role_id = ' . $role_id;
 		$this->db->sql_query($sql);
@@ -425,6 +464,11 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 						WHERE role_id = ' . $role_id;
 					$this->db->sql_query($sql);
 					$role_data = $this->db->sql_fetchrow();
+					if (!$role_data)
+					{
+						throw new \phpbb\db\migration\exception('ROLE_NOT_EXIST_ASSIGNED', $name, $role_id);
+					}
+
 					$role_name = $role_data['role_name'];
 					$role_type = $role_data['role_type'];
 
@@ -571,6 +615,10 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 						WHERE role_id = ' . $role_id;
 					$this->db->sql_query($sql);
 					$role_name = $this->db->sql_fetchfield('role_name');
+					if (!$role_name)
+					{
+						throw new \phpbb\db\migration\exception('ROLE_NOT_EXIST_ASSIGNED', $name, $role_id);
+					}
 
 					return $this->permission_unset($role_name, $auth_option, 'role');
 				}