From dd4b70d2a9543e62aaff10b9fc8fd03df2ecc1ad Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Sat, 11 Apr 2020 18:11:33 +0200
Subject: [PATCH] Restrict the ability to modify some permissions when running
 in enterprise mode

---
 .../group/UserGroupOptionHandler.class.php    | 38 +++++++++++++++----
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/wcfsetup/install/files/lib/system/option/user/group/UserGroupOptionHandler.class.php b/wcfsetup/install/files/lib/system/option/user/group/UserGroupOptionHandler.class.php
index 333571d24e..a8bfa3735a 100644
--- a/wcfsetup/install/files/lib/system/option/user/group/UserGroupOptionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/option/user/group/UserGroupOptionHandler.class.php
@@ -41,6 +41,25 @@ class UserGroupOptionHandler extends OptionHandler {
 	 */
 	protected $isOwner = null;
 	
+	/**
+	 * List of permission names that may not be altered when the enterprise mode is active.
+	 * @var string[]
+	 */
+	protected $enterpriseBlacklist = [
+		// Configuration
+		'admin.configuration.canManageApplication',
+		'admin.configuration.package.canUpdatePackage',
+		'admin.configuration.package.canEditServer',
+		
+		// User
+		'admin.user.canMailUser',
+		
+		// Management
+		'admin.management.canImportData',
+		'admin.management.canManageCronjob',
+		'admin.management.canRebuildData',
+	];
+	
 	/**
 	 * Sets current user group.
 	 * 
@@ -118,7 +137,6 @@ class UserGroupOptionHandler extends OptionHandler {
 	 * Returns true if current user has the permissions to edit every user group.
 	 * 
 	 * @return	boolean
-	 * @deprecated  5.2
 	 */
 	protected function isAdmin() {
 		if ($this->isAdmin === null) {
@@ -148,13 +166,17 @@ class UserGroupOptionHandler extends OptionHandler {
 	protected function validateOption(Option $option) {
 		parent::validateOption($option);
 		
-		if (!$this->isOwner()) {
-			// get type object
-			$typeObj = $this->getTypeObject($option->optionType);
-			
-			if ($typeObj->compare($this->optionValues[$option->optionName], WCF::getSession()->getPermission($option->optionName)) == 1) {
-				throw new UserInputException($option->optionName, 'exceedsOwnPermission');
-			}
+		if ($this->isOwner()) {
+			return;
+		}
+		
+		if (ENABLE_ENTERPRISE_MODE && $this->isAdmin() && !in_array($option->optionName, $this->enterpriseBlacklist)) {
+			return;
+		}
+		
+		$typeObj = $this->getTypeObject($option->optionType);
+		if ($typeObj->compare($this->optionValues[$option->optionName], WCF::getSession()->getPermission($option->optionName)) == 1) {
+			throw new UserInputException($option->optionName, 'exceedsOwnPermission');
 		}
 	}
 }
-- 
2.20.1