From 7bde027d280e3e08758d95213559677099cd3819 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 16 Feb 2018 12:20:25 +0100
Subject: [permissionmanager] Force lowercase permissions, handle locId 0
 properly

---
 .../permissionmanager/inc/permissiondbupdate.inc.php        |  4 ++++
 .../permissionmanager/inc/permissionutil.inc.php            | 13 ++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/modules-available/permissionmanager/inc/permissiondbupdate.inc.php b/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
index f2e7a366..8a67bf24 100644
--- a/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
+++ b/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
@@ -53,6 +53,10 @@ class PermissionDbUpdate
 	 */
 	public static function saveRole($rolename, $locations, $permissions, $roleid = null)
 	{
+		foreach ($permissions as &$permission) {
+			$permission = strtolower($permission);
+		}
+		unset($permission);
 		if ($roleid) {
 			Database::exec("UPDATE role SET rolename = :rolename WHERE roleid = :roleid",
 				array("rolename" => $rolename, "roleid" => $roleid));
diff --git a/modules-available/permissionmanager/inc/permissionutil.inc.php b/modules-available/permissionmanager/inc/permissionutil.inc.php
index f1385bc2..b4d54055 100644
--- a/modules-available/permissionmanager/inc/permissionutil.inc.php
+++ b/modules-available/permissionmanager/inc/permissionutil.inc.php
@@ -50,6 +50,7 @@ class PermissionUtil
 	 */
 	public static function userHasPermission($userid, $permissionid, $locationid)
 	{
+		$permissionid = strtolower($permissionid);
 		self::validatePermission($permissionid);
 		$parts = explode('.', $permissionid);
 		// Limit query to first part of permissionid, which is always the module id
@@ -60,9 +61,14 @@ class PermissionUtil
 					WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
 				compact('userid', 'prefix'));
 		} else {
-			$locations = Location::getLocationRootChain($locationid);
-			if (count($locations) == 0)
-				return false;
+			if ($locationid === 0) {
+				$locations = [0];
+			} else {
+				$locations = Location::getLocationRootChain($locationid);
+				if (empty($locations)) { // Non-existent location, still continue as user might have global perms
+					$locations = [0];
+				}
+			}
 			$res = Database::simpleQuery("SELECT permissionid FROM role_x_permission
 					INNER JOIN user_x_role USING (roleid)
 					INNER JOIN role_x_location USING (roleid)
@@ -94,6 +100,7 @@ class PermissionUtil
 	 */
 	public static function getAllowedLocations($userid, $permissionid)
 	{
+		$permissionid = strtolower($permissionid);
 		self::validatePermission($permissionid);
 		$parts = explode('.', $permissionid);
 		// Limit query to first part of permissionid, which is always the module id
-- 
cgit v1.2.3-55-g7522