From: Alexander Ebert <ebert@woltlab.com>
Date: Mon, 8 Apr 2019 10:29:17 +0000 (+0200)
Subject: Members of the owner group may not remove themselves
X-Git-Tag: 5.2.0_Alpha_1~136^2~9
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=030e29a3f262048b0eb4981cb4bdfc7ec1cfdcd3;p=GitHub%2FWoltLab%2FWCF.git

Members of the owner group may not remove themselves
---

diff --git a/wcfsetup/install/files/acp/templates/userAdd.tpl b/wcfsetup/install/files/acp/templates/userAdd.tpl
index aab3972fec..cdf770f1f2 100644
--- a/wcfsetup/install/files/acp/templates/userAdd.tpl
+++ b/wcfsetup/install/files/acp/templates/userAdd.tpl
@@ -602,4 +602,28 @@
 	</div>
 </form>
 
+{if $action === 'edit' && $ownerGroupID}
+	<script data-relocate="true">
+		(function() {
+			var input = elBySel('input[name="groupIDs[]"][value="{@$ownerGroupID}"]');
+			if (input) {
+				var icon = elCreate('span');
+				icon.className = 'icon icon16 fa-shield jsTooltip';
+				icon.title = '{lang}wcf.acp.group.type.owner{/lang}';
+				input.parentNode.appendChild(icon);
+				
+				{if $user->userID == $__wcf->user->userID}
+					var shadow = elCreate('input');
+					shadow.name = input.name;
+					shadow.type = 'hidden';
+					shadow.value = input.value;
+					
+					input.parentNode.appendChild(shadow);
+					input.disabled = true;
+				{/if}
+			}
+		})();
+	</script>
+{/if}
+
 {include file='footer'}
diff --git a/wcfsetup/install/files/lib/acp/form/UserEditForm.class.php b/wcfsetup/install/files/lib/acp/form/UserEditForm.class.php
index cdc34b9f2a..5e3493d9dd 100755
--- a/wcfsetup/install/files/lib/acp/form/UserEditForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/UserEditForm.class.php
@@ -274,7 +274,8 @@ class UserEditForm extends UserAddForm {
 			'disableCoverPhoto' => $this->disableCoverPhoto,
 			'disableCoverPhotoReason' => $this->disableCoverPhotoReason,
 			'disableCoverPhotoExpires' => $this->disableCoverPhotoExpires,
-			'deleteCoverPhoto' => $this->deleteCoverPhoto
+			'deleteCoverPhoto' => $this->deleteCoverPhoto,
+			'ownerGroupID' => UserGroup::getOwnerGroupID(),
 		]);
 	}
 	
@@ -483,6 +484,14 @@ class UserEditForm extends UserAddForm {
 	 * @inheritDoc
 	 */
 	public function validate() {
+		if ($this->user->userID == WCF::getUser()->userID && WCF::getUser()->hasOwnerAccess()) {
+			$ownerGroupID = UserGroup::getOwnerGroupID();
+			if ($ownerGroupID && !in_array($ownerGroupID, $this->groupIDs)) {
+				// Members of the owner group cannot remove themselves.
+				throw new PermissionDeniedException();
+			}
+		}
+		
 		$this->validateAvatar();
 		
 		parent::validate();
diff --git a/wcfsetup/install/files/lib/data/user/group/UserGroup.class.php b/wcfsetup/install/files/lib/data/user/group/UserGroup.class.php
index 6da1c1ba72..cf651a8c2a 100644
--- a/wcfsetup/install/files/lib/data/user/group/UserGroup.class.php
+++ b/wcfsetup/install/files/lib/data/user/group/UserGroup.class.php
@@ -74,6 +74,11 @@ class UserGroup extends DatabaseObject implements ITitledObject {
 	 */
 	protected static $accessibleGroups = null;
 	
+	/**
+	 * @var UserGroup|null
+	 */
+	protected static $ownerGroup = false;
+	
 	/**
 	 * group options of this group
 	 * @var	mixed[][]
@@ -498,4 +503,18 @@ class UserGroup extends DatabaseObject implements ITitledObject {
 			'admin.user.canSearchUser',
 		];
 	}
+	
+	/**
+	 * Returns the owner group's id unless no group was promoted yet due to backwards compatibility.
+	 * 
+	 * @return int|null
+	 * @since 5.2
+	 */
+	public static function getOwnerGroupID() {
+		if (self::$ownerGroup === false) {
+			self::$ownerGroup = self::getGroupByType(self::OWNER);
+		}
+		
+		return self::$ownerGroup ? self::$ownerGroup->groupID : null;
+	}
 }