From: Alexander Ebert <ebert@woltlab.com>
Date: Fri, 14 Jun 2024 10:21:24 +0000 (+0200)
Subject: Filter out restricted permissions in enterprise mode
X-Git-Tag: 6.0.15_dev_1~3
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c4bdc30803c13faa54009231d9d89ba1b89c9388;p=GitHub%2FWoltLab%2FWCF.git

Filter out restricted permissions in enterprise mode
---

diff --git a/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php
index b000a71426..dd46609a00 100644
--- a/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php
+++ b/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php
@@ -24,6 +24,15 @@ class UserGroupOptionACPSearchResultProvider extends AbstractCategorizedACPSearc
      */
     protected $listClassName = UserGroupOptionCategoryList::class;
 
+    private array $restrictedOptionNames = [
+        'admin.configuration.package.canUpdatePackage',
+        'admin.configuration.package.canEditServer',
+        'admin.user.canMailUser',
+        'admin.management.canManageCronjob',
+        'admin.management.canRebuildData',
+        'admin.management.canImportData',
+    ];
+
     /**
      * @inheritDoc
      */
@@ -89,6 +98,10 @@ class UserGroupOptionACPSearchResultProvider extends AbstractCategorizedACPSearc
                 continue;
             }
 
+            if ($this->isUnavailableOption($userGroupOption)) {
+                continue;
+            }
+
             $link = LinkHandler::getInstance()->getLink('UserGroupOption', ['id' => $userGroupOption->optionID]);
             $categoryName = $userGroupOption->categoryName;
             $parentCategories = [];
@@ -119,4 +132,29 @@ class UserGroupOptionACPSearchResultProvider extends AbstractCategorizedACPSearc
 
         return $results;
     }
+
+    /**
+     * @since 6.0
+     */
+    private function isUnavailableOption(UserGroupOption $userGroupOption): bool
+    {
+        if (!\defined('ENABLE_ENTERPRISE_MODE') || !\ENABLE_ENTERPRISE_MODE) {
+            return false;
+        }
+
+        if (!\in_array($userGroupOption->optionName, $this->restrictedOptionNames, true)) {
+            return false;
+        }
+
+        if (WCF::getUser()->hasOwnerAccess()) {
+            return false;
+        }
+
+        // Allow the option to appear if the user has this permission.
+        if (WCF::getSession()->getPermission($userGroupOption->optionName)) {
+            return false;
+        }
+
+        return true;
+    }
 }