From 206d0b94f4010e8a5cbce74c5afbae46adf03d74 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 9 Jan 2020 13:22:29 +0100
Subject: [permissionmanager] Make default roles "builtin" i.e. not modifiable

---
 modules-available/permissionmanager/page.inc.php | 27 +++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index 462d3163..63cbcb59 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -32,10 +32,17 @@ class Page_PermissionManager extends Page
 			PermissionDbUpdate::deleteRole($id);
 		} elseif ($action === 'saveRole') {
 			User::assertPermission('roles.edit');
-			$roleID = Request::post("roleid", false, 'int');
-			if ($roleID === false) {
-				Message::addError('main.parameter-missing', 'roleid');
-				Util::redirect('?do=permissionmanager');
+			$roleID = Request::post("roleid", Request::REQUIRED_EMPTY, 'int');
+			if ($roleID) {
+				$existing = GetPermissionData::getRole($roleID);
+				if ($existing === false) {
+					Message::addError('invalid-role-id', $roleID);
+					Util::redirect('?do=permissionmanager');
+				}
+				if ($existing['builtin']) {
+					Message::addError('builtin-role', $existing['rolename']);
+					Util::redirect('?do=permissionmanager');
+				}
 			}
 			$roleName = Request::post("rolename", '', 'string');
 			if (empty($roleName)) {
@@ -116,7 +123,17 @@ class Page_PermissionManager extends Page
 			$selectedLocations = array();
 			$roleid = Request::get("roleid", false, 'int');
 			if ($roleid !== false) {
-				$data += GetPermissionData::getRoleData($roleid);
+				$role = GetPermissionData::getRoleData($roleid);
+				if ($role === false) {
+					Message::addError('invalid-role-id', $roleid);
+					Util::redirect('?do=permissionmanager');
+				}
+				if ($role['builtin']) {
+					// Copy the role, as it's builtin
+					$role['roleid'] = '';
+					$role['rolename'] .= ' (2)';
+				}
+				$data += $role;
 				$selectedPermissions = $data["permissions"];
 				$selectedLocations = $data["locations"];
 			}
-- 
cgit v1.2.3-55-g7522