Only modify permissions the user has access to

6 years ago · 48b28fc3cd
parent 4bd4eec53d
commit 48b28fc3cd
1 changed files with 35 additions and 1 deletions
--- a/admin/manage_permission_groups.php
+++ b/admin/manage_permission_groups.php
@ -365,7 +365,6 @@ function save()
        WHERE `id` = " . intval($templateId));
    $row = hesk_dbFetchAssoc($res);

-
    // Add 'can ban emails' if 'can unban emails' is set (but not added). Same with 'can ban ips'
    $catArray = hesk_POST_array('categories');
    $featArray = hesk_POST_array('features');
@ -380,6 +379,41 @@ function save()
    $features = implode(',', $featArray);
    $name = hesk_POST('name');

+    // Only allow users to add what they are allowed to add
+    // Admins can handle anything
+    if (!$_SESSION['isadmin']) {
+        // Update categories based on user visibility
+        $originalCategories = explode(',', $row['categories']);
+        $newCategories = array();
+        foreach ($originalCategories as $innerCategory) {
+            if (in_array($innerCategory, $catArray) && in_array($innerCategory, $_SESSION['categories'])) {
+                $newCategories[] = $innerCategory;
+            } elseif (!in_array($innerCategory, $catArray) && !in_array($innerCategory, $_SESSION['categories'])) {
+                // The user can't modify this, so keep it in
+                $newCategories[] = $innerCategory;
+            }
+            // If neither, the user removed it.
+        }
+
+        // Update features based on user visibility
+        $originalFeatures = explode(',', $row['features']);
+        $newFeatures = array();
+        foreach ($originalFeatures as $innerFeature) {
+            if (in_array($innerFeature, $featArray) && strpos($_SESSION['heskprivileges'], $innerFeature) !== false) {
+                $newFeatures[] = $innerFeature;
+            } elseif (!in_array($innerFeature, $featArray) && strpos($_SESSION['heskprivileges'], $innerFeature) === false) {
+                // The user can't modify this, so keep it in
+                $newFeatures[] = $innerFeature;
+            }
+            // If neither, the user removed it.
+        }
+
+        $categories = implode(',', $newCategories);
+        $features = implode(',', $newFeatures);
+    }
+
+
+
    hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "permission_templates`
        SET `categories` = '" . hesk_dbEscape($categories) . "', `heskprivileges` = '" . hesk_dbEscape($features) . "',
            `name` = '" . hesk_dbEscape($name) . "'