level.php
3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<?php
/**
* @package Joomla.Administrator
* @subpackage com_users
*
* @copyright Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
defined('_JEXEC') or die;
use Joomla\Utilities\ArrayHelper;
/**
* User view level controller class.
*
* @since 1.6
*/
class UsersControllerLevel extends JControllerForm
{
/**
* @var string The prefix to use with controller messages.
* @since 1.6
*/
protected $text_prefix = 'COM_USERS_LEVEL';
/**
* Method to check if you can save a new or existing record.
*
* Overrides JControllerForm::allowSave to check the core.admin permission.
*
* @param array $data An array of input data.
* @param string $key The name of the key for the primary key.
*
* @return boolean
*
* @since 1.6
*/
protected function allowSave($data, $key = 'id')
{
return (JFactory::getUser()->authorise('core.admin', $this->option) && parent::allowSave($data, $key));
}
/**
* Overrides JControllerForm::allowEdit
*
* Checks that non-Super Admins are not editing Super Admins.
*
* @param array $data An array of input data.
* @param string $key The name of the key for the primary key.
*
* @return boolean
*
* @since 3.8.8
*/
protected function allowEdit($data = array(), $key = 'id')
{
// Get user instance
$user = JFactory::getUser();
// Check for if Super Admin can edit
$db = JFactory::getDbo();
$query = $db->getQuery(true)
->select('*')
->from($db->quoteName('#__viewlevels'))
->where($db->quoteName('id') . ' = ' . (int) $data['id']);
$db->setQuery($query);
$viewlevel = $db->loadAssoc();
// Decode level groups
$groups = json_decode($viewlevel['rules']);
// If this group is super admin and this user is not super admin, canEdit is false
if (!$user->authorise('core.admin') && JAccess::checkGroup($groups[0], 'core.admin'))
{
$this->setError(JText::sprintf('JLIB_APPLICATION_ERROR_EDIT_NOT_PERMITTED'));
return false;
}
return parent::allowEdit($data, $key);
}
/**
* Removes an item.
*
* Overrides JControllerAdmin::delete to check the core.admin permission.
*
* @return boolean Returns true on success, false on failure.
*
* @since 1.6
*/
public function delete()
{
// Check for request forgeries.
$this->checkToken();
$ids = $this->input->get('cid', array(), 'array');
if (!JFactory::getUser()->authorise('core.admin', $this->option))
{
JError::raiseError(500, JText::_('JERROR_ALERTNOAUTHOR'));
jexit();
}
elseif (empty($ids))
{
JError::raiseWarning(500, JText::_('COM_USERS_NO_LEVELS_SELECTED'));
}
else
{
// Get the model.
$model = $this->getModel();
$ids = ArrayHelper::toInteger($ids);
// Remove the items.
if (!$model->delete($ids))
{
JError::raiseWarning(500, $model->getError());
}
else
{
$this->setMessage(JText::plural('COM_USERS_N_LEVELS_DELETED', count($ids)));
}
}
$this->setRedirect('index.php?option=com_users&view=levels');
}
}