From 7afe5a3ffee64ff5c1ee7692a2ac4c83d46d6a78 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 19 Feb 2018 13:36:35 +0100
Subject: [permissionmanager] Implement permissions:

Permissinmanager is now protected by permissions.
In order to prevent complete lockout, the user with
userid == 1 will always be able to edit and assign permissions.
(TODO: Communicate this somehow)
---
 .../permissionmanager/inc/permissionutil.inc.php   | 34 +++++++++++++---------
 1 file changed, 21 insertions(+), 13 deletions(-)

(limited to 'modules-available/permissionmanager/inc/permissionutil.inc.php')

diff --git a/modules-available/permissionmanager/inc/permissionutil.inc.php b/modules-available/permissionmanager/inc/permissionutil.inc.php
index b4d54055..bc42c5a0 100644
--- a/modules-available/permissionmanager/inc/permissionutil.inc.php
+++ b/modules-available/permissionmanager/inc/permissionutil.inc.php
@@ -53,6 +53,9 @@ class PermissionUtil
 		$permissionid = strtolower($permissionid);
 		self::validatePermission($permissionid);
 		$parts = explode('.', $permissionid);
+		// Special case: To prevent lockout, userid === 1 always has permissionmanager.*
+		if ($parts[0] === 'permissionmanager' && User::getId() === 1)
+			return true;
 		// Limit query to first part of permissionid, which is always the module id
 		$prefix = $parts[0] . '.%';
 		if (is_null($locationid)) {
@@ -103,21 +106,26 @@ class PermissionUtil
 		$permissionid = strtolower($permissionid);
 		self::validatePermission($permissionid);
 		$parts = explode('.', $permissionid);
-		// Limit query to first part of permissionid, which is always the module id
-		$prefix = $parts[0] . '.%';
-		$res = Database::simpleQuery("SELECT permissionid, locationid FROM role_x_permission
-					INNER JOIN user_x_role USING (roleid)
-					INNER JOIN role_x_location USING (roleid)
-					WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
-			compact('userid', 'prefix'));
+		// Special case: To prevent lockout, userid === 1 always has permissionmanager.*
+		if ($parts[0] === 'permissionmanager' && User::getId() === 1) {
+			$allowedLocations = [true];
+		} else {
+			// Limit query to first part of permissionid, which is always the module id
+			$prefix = $parts[0] . '.%';
+			$res = Database::simpleQuery("SELECT permissionid, locationid FROM role_x_permission
+						INNER JOIN user_x_role USING (roleid)
+						INNER JOIN role_x_location USING (roleid)
+						WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
+				compact('userid', 'prefix'));
 
-		// Gather locationid from relevant rows
-		self::makeComparisonVariants($parts, $compare, $wildcard, $wclen);
-		$allowedLocations = array();
-		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
-			if (in_array($row['permissionid'], $compare, true)
+			// Gather locationid from relevant rows
+			self::makeComparisonVariants($parts, $compare, $wildcard, $wclen);
+			$allowedLocations = array();
+			while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
+				if (in_array($row['permissionid'], $compare, true)
 					|| ($wildcard !== false && strncmp($row['permissionid'], $wildcard, $wclen) === 0)) {
-				$allowedLocations[(int)$row['locationid']] = true;
+					$allowedLocations[(int)$row['locationid']] = true;
+				}
 			}
 		}
 		$locations = Location::getTree();
-- 
cgit v1.2.3-55-g7522