mirror/processwire
1
0
Fork 0
mirror of https://github.com/processwire/processwire.git synced 2025-08-17 12:10:45 +02:00
Code Issues Releases Wiki Activity

Updates to user-admin-[role] permission logic in PagePermissions.module. This (and the previous 2 commits) hopefully also fixes processwire/processwire-issues#1737

Browse Source
This commit is contained in:
Ryan Cramer
2023-07-19 14:44:45 -04:00
parent 05cdf08949
commit 879b482b6a
1 changed files with 38 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
wire/modules/PagePermissions.module
View File

@@ -245,7 +245,8 @@ class PagePermissions extends WireData implements Module {
$process = $this->wire()->process; $process = $this->wire()->process;
$processName = (string) $process; $processName = (string) $process;
$config = $this->wire()->config; $config = $this->wire()->config;
$guestRoleID = $config->guestUserRolePageID; $guestRoleID = (int) $config->guestUserRolePageID;
$permissions = $this->wire()->permissions;
$defaults = array( $defaults = array(
'viewable' => false, // specify true if method is being used to determine viewable state 'viewable' => false, // specify true if method is being used to determine viewable state
@@ -304,10 +305,15 @@ class PagePermissions extends WireData implements Module {
if($userViewable) return true; if($userViewable) return true;
} else { } else {
// if the current process is something other than ProcessUser, they don't have permission // if the current process is something other than ProcessUser (or a Process module that can be
if($processName !== 'ProcessUser' && (!$process instanceof ProcessPageList) && (!$process instanceof ProcessPageLister)) { // used within ProcessUser) they don't have permission
return false; $processNames = array(
} 'ProcessUser',
'ProcessPageList',
'ProcessPageLister',
'ProcessPageEditImageSelect'
);
if(!wireInstanceOf($process, $processNames)) return false;
} }
// if user doesn't have user-admin permission, they have no edit access // if user doesn't have user-admin permission, they have no edit access
@@ -320,29 +326,43 @@ class PagePermissions extends WireData implements Module {
// if we reach this point then check if there are more granular user-admin permissions available // if we reach this point then check if there are more granular user-admin permissions available
// special permissions: user-admin-all, and user-admin-[role] // special permissions: user-admin-all, and user-admin-[role]
$userAdminAll = $this->wire()->permissions->get('user-admin-all'); $userAdminPerms = $permissions->getPermissionNameIds('user-admin-');
// if there are no special permissions, then let them through // if there are no special permissions, then let them through
if(!$userAdminAll->id) return true; if(isset($userAdminPerms['user-admin-all'])) {
// if user has 'user-admin-all' permission, they are good to edit
if($user->hasPermission('user-admin-all')) return true;
// if there are no other user-admin perms then not editable
if(count($userAdminPerms) === 1) return false;
// if user has user-admin-all permission, they are good to edit } else if(empty($userAdminPerms)) {
if($user->hasPermission($userAdminAll)) return true; // no 'user-admin-[role]' permissions means permission delegated to just 'user-admin'
return true;
}
// there are role-specific permissions in the system, and user must have appropriate one to edit // there are role-specific permissions in the system, and user must have appropriate one to edit
$userEditable = false; $userEditable = false;
$pageRoles = $page->roles;
$n = 0; $n = 0;
foreach($page->roles as $role) {
foreach($pageRoles as $role) {
$n++; $n++;
if($role->id == $guestRoleID) continue; if($role->id == $guestRoleID) continue;
if($user->hasPermission("user-admin-$role->name")) { $permName = "user-admin-$role->name";
if(!isset($userAdminPerms[$permName])) continue; // does not exist
if($user->hasPermission($permName)) {
// found a matching permission for role, so it is editable // found a matching permission for role, so it is editable
$userEditable = true; $userEditable = true;
break; break;
} else {
// user does not have
} }
} }
if($userEditable) return true; if($userEditable) return true;
// if there is only role (guest), then no specific permission needed for that
if($n == 0 || ($n == 1 && $page->roles->first()->id == $guestRoleID)) return true; // if there is only 1 role (guest), then no role-specific permission needed for that
if($n == 0 || ($n == 1 && $pageRoles->first()->id == $guestRoleID)) return true;
return false; return false;
} }
@@ -560,7 +580,7 @@ class PagePermissions extends WireData implements Module {
if($user === null) $user = $this->wire()->user; if($user === null) $user = $this->wire()->user;
if(!$user->isLoggedin()) return false; if(!$user->isLoggedin()) return false;
if(!$user->hasPermission('profile-edit')) return false; if(!$user->hasPermission('profile-edit')) return false;
$data = $this->wire()->modules->getModuleConfigData('ProcessProfile'); $data = $this->wire()->modules->getConfig('ProcessProfile');
$profileFields = isset($data['profileFields']) ? $data['profileFields'] : array(); $profileFields = isset($data['profileFields']) ? $data['profileFields'] : array();
if(in_array($name, $profileFields)) return true; if(in_array($name, $profileFields)) return true;
return false; return false;