From c4bdc30803c13faa54009231d9d89ba1b89c9388 Mon Sep 17 00:00:00 2001 From: Alexander Ebert Date: Fri, 14 Jun 2024 12:21:24 +0200 Subject: [PATCH] Filter out restricted permissions in enterprise mode --- ...oupOptionACPSearchResultProvider.class.php | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php index b000a71426..dd46609a00 100644 --- a/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php +++ b/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php @@ -24,6 +24,15 @@ class UserGroupOptionACPSearchResultProvider extends AbstractCategorizedACPSearc */ protected $listClassName = UserGroupOptionCategoryList::class; + private array $restrictedOptionNames = [ + 'admin.configuration.package.canUpdatePackage', + 'admin.configuration.package.canEditServer', + 'admin.user.canMailUser', + 'admin.management.canManageCronjob', + 'admin.management.canRebuildData', + 'admin.management.canImportData', + ]; + /** * @inheritDoc */ @@ -89,6 +98,10 @@ class UserGroupOptionACPSearchResultProvider extends AbstractCategorizedACPSearc continue; } + if ($this->isUnavailableOption($userGroupOption)) { + continue; + } + $link = LinkHandler::getInstance()->getLink('UserGroupOption', ['id' => $userGroupOption->optionID]); $categoryName = $userGroupOption->categoryName; $parentCategories = []; @@ -119,4 +132,29 @@ class UserGroupOptionACPSearchResultProvider extends AbstractCategorizedACPSearc return $results; } + + /** + * @since 6.0 + */ + private function isUnavailableOption(UserGroupOption $userGroupOption): bool + { + if (!\defined('ENABLE_ENTERPRISE_MODE') || !\ENABLE_ENTERPRISE_MODE) { + return false; + } + + if (!\in_array($userGroupOption->optionName, $this->restrictedOptionNames, true)) { + return false; + } + + if (WCF::getUser()->hasOwnerAccess()) { + return false; + } + + // Allow the option to appear if the user has this permission. + if (WCF::getSession()->getPermission($userGroupOption->optionName)) { + return false; + } + + return true; + } } -- 2.20.1