From: Alexander Ebert <ebert@woltlab.com>
Date: Tue, 27 May 2014 20:36:52 +0000 (+0200)
Subject: Preventing users from granting more permissions than they have
X-Git-Tag: 2.1.0_Alpha_1~786^2~10
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1c05b7e694f3fc3e65561fe110ba077945d77b86;p=GitHub%2FWoltLab%2FWCF.git

Preventing users from granting more permissions than they have
---

diff --git a/wcfsetup/install/files/acp/templates/userGroupOption.tpl b/wcfsetup/install/files/acp/templates/userGroupOption.tpl
index 14b94387ae..ab6cd929d9 100644
--- a/wcfsetup/install/files/acp/templates/userGroupOption.tpl
+++ b/wcfsetup/install/files/acp/templates/userGroupOption.tpl
@@ -58,6 +58,11 @@
 					<dd>
 						{@$formElements[$group->groupID]}
 						
+						{if $errorType[$group->groupID]|isset}
+							<small class="innerError">
+								{lang}wcf.acp.group.option.error.{$errorType[$group->groupID]}{/lang}
+							</small>
+						{/if}
 						{hascontent}<small>{content}{lang __optional=true}wcf.acp.group.option.{@$userGroupOption->optionName}.description{/lang}{/content}</small>{/hascontent}
 					</dd>
 				</dl>
diff --git a/wcfsetup/install/files/lib/acp/form/UserGroupOptionForm.class.php b/wcfsetup/install/files/lib/acp/form/UserGroupOptionForm.class.php
index 9f5ab252b1..898bd96ab0 100644
--- a/wcfsetup/install/files/lib/acp/form/UserGroupOptionForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/UserGroupOptionForm.class.php
@@ -157,6 +157,10 @@ class UserGroupOptionForm extends AbstractForm {
 			catch (UserInputException $e) {
 				$this->errorType[$e->getField()] = $e->getType();
 			}
+			
+			if ($this->optionType->compare($optionValue, WCF::getSession()->getPermission($this->userGroupOption->optionName)) == 1) {
+				$this->errorType[$groupID] = 'exceedsOwnPermission';
+			}
 		}
 		
 		// add missing values for option type 'boolean'
diff --git a/wcfsetup/install/files/lib/system/option/AbstractOptionType.class.php b/wcfsetup/install/files/lib/system/option/AbstractOptionType.class.php
index 2725a8b963..3889a6c278 100644
--- a/wcfsetup/install/files/lib/system/option/AbstractOptionType.class.php
+++ b/wcfsetup/install/files/lib/system/option/AbstractOptionType.class.php
@@ -48,7 +48,7 @@ abstract class AbstractOptionType implements IOptionType {
 	/**
 	 * @see	\wcf\system\option\IOptionType::compare()
 	 */
-	public function compare() {
+	public function compare($value1, $value2) {
 		return 0;
 	}
 }
diff --git a/wcfsetup/install/files/lib/system/option/BooleanOptionType.class.php b/wcfsetup/install/files/lib/system/option/BooleanOptionType.class.php
index 7c8fb32b3a..51038c199c 100644
--- a/wcfsetup/install/files/lib/system/option/BooleanOptionType.class.php
+++ b/wcfsetup/install/files/lib/system/option/BooleanOptionType.class.php
@@ -99,6 +99,6 @@ class BooleanOptionType extends AbstractOptionType implements ISearchableUserOpt
 			return 0;
 		}
 		
-		return ($value1 === true) ? 1 : -1;
+		return ($value1) ? 1 : -1;
 	}
 }
diff --git a/wcfsetup/install/files/lib/system/option/user/group/UserGroupOptionHandler.class.php b/wcfsetup/install/files/lib/system/option/user/group/UserGroupOptionHandler.class.php
index 1cb5b3b2b4..7a63e3cfb4 100644
--- a/wcfsetup/install/files/lib/system/option/user/group/UserGroupOptionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/option/user/group/UserGroupOptionHandler.class.php
@@ -4,6 +4,9 @@ use wcf\data\user\group\UserGroup;
 use wcf\system\exception\SystemException;
 use wcf\system\option\OptionHandler;
 use wcf\util\ClassUtil;
+use wcf\system\WCF;
+use wcf\system\exception\UserInputException;
+use wcf\data\option\Option;
 
 /**
  * Handles user group options.
@@ -27,6 +30,12 @@ class UserGroupOptionHandler extends OptionHandler {
 	 */
 	protected $group = null;
 	
+	/**
+	 * true if current user can edit every user group
+	 * @var	boolean
+	 */
+	protected $isAdmin = null;
+	
 	/**
 	 * Sets current user group.
 	 * 
@@ -70,4 +79,40 @@ class UserGroupOptionHandler extends OptionHandler {
 			}
 		}
 	}
+	
+	/**
+	 * Returns true if current user has the permissions to edit every user group.
+	 * 
+	 * @return	boolean
+	 */
+	protected function isAdmin() {
+		if ($this->isAdmin === null) {
+			$this->isAdmin = false;
+			
+			foreach (WCF::getUser()->getGroupIDs() as $groupID) {
+				if (UserGroup::getGroupByID($groupID)->isAdminGroup()) {
+					$this->isAdmin = true;
+					break;
+				}
+			}
+		}
+		
+		return $this->isAdmin;
+	}
+	
+	/**
+	 * @see	\wcf\system\option\OptionHandler::validateOption()
+	 */
+	protected function validateOption(Option $option) {
+		parent::validateOption($option);
+		
+		if (!$this->isAdmin()) {
+			// get type object
+			$typeObj = $this->getTypeObject($option->optionType);
+			
+			if ($typeObj->compare($this->optionValues[$option->optionName], WCF::getSession()->getPermission($option->optionName)) == 1) {
+				throw new UserInputException($option->optionName, 'exceedsOwnPermission');
+			}
+		}
+	}
 }
diff --git a/wcfsetup/install/files/lib/system/option/user/group/UserGroupsUserGroupOptionType.class.php b/wcfsetup/install/files/lib/system/option/user/group/UserGroupsUserGroupOptionType.class.php
index 2c0843c803..dbe99d1a61 100644
--- a/wcfsetup/install/files/lib/system/option/user/group/UserGroupsUserGroupOptionType.class.php
+++ b/wcfsetup/install/files/lib/system/option/user/group/UserGroupsUserGroupOptionType.class.php
@@ -80,8 +80,8 @@ class UserGroupsUserGroupOptionType extends AbstractOptionType implements IUserG
 	 * @see	\wcf\system\option\IOptionType::compare()
 	 */
 	public function compare($value1, $value2) {
-		$value1 = explode(',', $value1);
-		$value2 = explode(',', $value2);
+		$value1 = ($value1) ? explode(',', $value1) : array();
+		$value2 = ($value2) ? explode(',', $value2) : array();
 		
 		// check if value1 contains more elements than value2
 		$diff = array_diff($value1, $value2);
diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml
index e0b849831e..ac829df136 100644
--- a/wcfsetup/install/lang/de.xml
+++ b/wcfsetup/install/lang/de.xml
@@ -280,6 +280,7 @@
 		<item name="wcf.acp.group.option.category.user"><![CDATA[Allgemeine Rechte]]></item>
 		<item name="wcf.acp.group.option.category.user.message"><![CDATA[Nachrichten]]></item>
 		<item name="wcf.acp.group.option.category.user.message.comment"><![CDATA[Kommentare]]></item>
+		<item name="wcf.acp.group.option.error.exceedsOwnPermission"><![CDATA[Sie kÃ¶nnen Benutzergruppen keine Berechtigungen gewÃ¤hren, die Ihre eigenen Berechtigungen Ã¼bersteigen.]]></item>
 		<item name="wcf.acp.group.option.error.tooHigh"><![CDATA[Der angegebene Wert ist zu hoch.{if $option->maxvalue !== null} Der maximale Wert ist {#$option->maxvalue}.{/if}]]></item>
 		<item name="wcf.acp.group.option.error.tooLow"><![CDATA[Der angegebene Wert ist zu gering.{if $option->minvalue !== null} Der minimale Wert ist {#$option->minvalue}.{/if}]]></item>
 		<item name="wcf.acp.group.showMembers"><![CDATA[Zeige die Mitglieder dieser Benutzergruppe]]></item>
diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml
index e0c638cc76..46275d16ff 100644
--- a/wcfsetup/install/lang/en.xml
+++ b/wcfsetup/install/lang/en.xml
@@ -279,6 +279,7 @@ Examples for medium ID detection:
 		<item name="wcf.acp.group.option.category.user"><![CDATA[General Permissions]]></item>
 		<item name="wcf.acp.group.option.category.user.message"><![CDATA[Messages]]></item>
 		<item name="wcf.acp.group.option.category.user.message.comment"><![CDATA[Comments]]></item>
+		<item name="wcf.acp.group.option.error.exceedsOwnPermission"><![CDATA[You cannot grant user group permissions exceeding your own permissions.]]></item>
 		<item name="wcf.acp.group.option.error.tooHigh"><![CDATA[The given value is too high.{if $option->maxvalue !== null} The maximum value is {#$option->maxvalue}.{/if}]]></item>
 		<item name="wcf.acp.group.option.error.tooLow"><![CDATA[The given value is too low.{if $option->minvalue !== null} The minimum value is {#$option->minvalue}.{/if}]]></item>
 		<item name="wcf.acp.group.showMembers"><![CDATA[Show Members]]></item>
