From 18f378c9bd232822577258fe68afe78df3f7e7f4 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 29 Mar 2018 18:41:37 +0200
Subject: [permissionmanager] Introduce dedicated "permission denied" page

Closes #3350
---
 inc/user.inc.php                                    | 17 +++++++++++++----
 .../permissionmanager/lang/de/template-tags.json    |  5 ++++-
 .../permissionmanager/lang/en/template-tags.json    |  5 ++++-
 modules-available/permissionmanager/page.inc.php    |  9 +++++++++
 modules-available/permissionmanager/style.css       |  7 ++++++-
 .../templates/page-permission-denied.html           | 21 +++++++++++++++++++++
 6 files changed, 57 insertions(+), 7 deletions(-)
 create mode 100644 modules-available/permissionmanager/templates/page-permission-denied.html

diff --git a/inc/user.inc.php b/inc/user.inc.php
index 27a907c3..f12cc39f 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -55,15 +55,24 @@ class User
 	{
 		if (User::hasPermission($permission, $locationid))
 			return;
-		Message::addError('main.no-permission');
 		if (AJAX) {
 			Message::renderList();
 			exit;
 		}
-		if (is_null($redirect)) {
-			Util::redirect('?do=main');
-		} else {
+		if (!is_null($redirect)) {
+			Message::addError('main.no-permission');
 			Util::redirect($redirect);
+		} elseif (Module::isAvailable('permissionmanager')) {
+			if ($permission{0} !== '.') {
+				$module = Page::getModule();
+				if ($module !== false) {
+					$permission = '.' . $module->getIdentifier() . '.' . $permission;
+				}
+			}
+			Util::redirect('?do=permissionmanager&show=denied&permission=' . urlencode($permission));
+		} else {
+			Message::addError('main.no-permission');
+			Util::redirect('?do=main');
 		}
 	}
 
diff --git a/modules-available/permissionmanager/lang/de/template-tags.json b/modules-available/permissionmanager/lang/de/template-tags.json
index 52073dee..a4fc990b 100644
--- a/modules-available/permissionmanager/lang/de/template-tags.json
+++ b/modules-available/permissionmanager/lang/de/template-tags.json
@@ -8,6 +8,9 @@
     "lang_name": "Name",
     "lang_newRole": "Rolle anlegen",
     "lang_numAssignedUsers": "Benutzer mit dieser Rolle",
+    "lang_permissionDeniedBody": "Ihnen fehlt eine oder mehrere Berechtigungen, um auf diese Seite oder Funktion zuzugreifen.",
+    "lang_permissionDeniedHeader": "Zugriff verweigert",
+    "lang_permission": "Berechtigung",
     "lang_permissions": "Rechte",
     "lang_removeRole": "Rollen entziehen",
     "lang_roleDeleteConfirm": "Sind Sie sich sicher, dass Sie diese Rolle l\u00f6schen m\u00f6chten? Benutzer, denen diese Rolle zugewiesen ist, werden die entsprechenden Berechtigungen verlieren.",
@@ -17,4 +20,4 @@
     "lang_selectizePlaceholder": "Nach Rollen filtern...",
     "lang_users": "Nutzer",
     "lang_view": "Anzeigen"
-}
\ No newline at end of file
+}
diff --git a/modules-available/permissionmanager/lang/en/template-tags.json b/modules-available/permissionmanager/lang/en/template-tags.json
index b7a1d77a..92c3ac26 100644
--- a/modules-available/permissionmanager/lang/en/template-tags.json
+++ b/modules-available/permissionmanager/lang/en/template-tags.json
@@ -8,6 +8,9 @@
     "lang_name": "Name",
     "lang_newRole": "New Role",
     "lang_numAssignedUsers": "Users with this role",
+    "lang_permissionDeniedBody": "You are missing one or more permissions to access this page or functionality.",
+    "lang_permissionDeniedHeader": "Access denied",
+    "lang_permission": "Permission",
     "lang_permissions": "Permissions",
     "lang_removeRole": "Revoke Roles",
     "lang_roleDeleteConfirm": "Are you sure you want to delete this role? Users currently assigned to this role will lose the according permissions.",
@@ -17,4 +20,4 @@
     "lang_selectizePlaceholder": "Filter for roles...",
     "lang_users": "Users",
     "lang_view": "View"
-}
\ No newline at end of file
+}
diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index d326bb94..828891ab 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -50,6 +50,15 @@ class Page_PermissionManager extends Page
 	{
 		$show = Request::get("show", false, 'string');
 
+		// "Public" page -- nice "permission denied" message
+		if ($show === 'denied') {
+			Render::addTemplate('page-permission-denied', [
+				'name' => User::getName(),
+				'permission' => Request::get('permission', false, 'string'),
+			]);
+			return;
+		}
+
 		if ($show === false) {
 			foreach (['roles', 'users', 'locations'] as $show) {
 				if (User::hasPermission($show . '.*'))
diff --git a/modules-available/permissionmanager/style.css b/modules-available/permissionmanager/style.css
index 6169b26f..dca38eeb 100644
--- a/modules-available/permissionmanager/style.css
+++ b/modules-available/permissionmanager/style.css
@@ -58,4 +58,9 @@ td > .label {
 
 .btn-group-muted > button {
     color: #aaa;
-}
\ No newline at end of file
+}
+
+h1 span.glyphicon {
+    top: 9px;
+}
+
diff --git a/modules-available/permissionmanager/templates/page-permission-denied.html b/modules-available/permissionmanager/templates/page-permission-denied.html
new file mode 100644
index 00000000..cc357a0b
--- /dev/null
+++ b/modules-available/permissionmanager/templates/page-permission-denied.html
@@ -0,0 +1,21 @@
+<br><br>
+<div class="jumbotron">
+	<h1>
+		<span class="text-danger">
+			<span class="glyphicon glyphicon-ban-circle"></span>
+			{{lang_permissionDeniedHeader}}
+		</span>
+	</h1>
+	<br><br>
+	<p>
+		{{lang_permissionDeniedBody}}
+	</p>
+	{{#permission}}
+	<div>
+		{{lang_permission}}: <b>{{permission}}</b>
+	</div>
+	{{/permission}}
+	<div>
+		{{lang_user}}: <b>{{name}}</b>
+	</div>
+</div>
-- 
cgit v1.2.3-55-g7522