Prevent regular users from enabling the template editor for themselve…

…s (see #749)
contao · Sep 30, 2019 · 8286bf5 · 8286bf5
1 parent df1b3ed
commit 8286bf5
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 4 deletions.
diff --git a/src/Resources/contao/dca/tl_user.php b/src/Resources/contao/dca/tl_user.php
@@ -731,21 +731,36 @@ public function sessionField(DataContainer $dc)
 	/**
 	 * Return all modules except profile modules
 	 *
+	 * @param DataContainer $dc
+	 *
 	 * @return array
 	 */
-	public function getModules()
+	public function getModules(DataContainer $dc)
 	{
 		$arrModules = array();
 
 		foreach ($GLOBALS['BE_MOD'] as $k=>$v)
 		{
 			if (!empty($v))
 			{
-				unset($v['undo']);
 				$arrModules[$k] = array_keys($v);
 			}
 		}
 
+		// Unset the undo module as it is always allowed
+		if (($key = array_search('undo', $arrModules['system'])) !== false)
+		{
+			unset($arrModules['system'][$key]);
+		}
+
+		$modules = Contao\StringUtil::deserialize($dc->activeRecord->modules);
+
+		// Unset the template editor unless the user is an administrator or has been granted access to the template editor
+		if (!$this->User->isAdmin && (!is_array($modules) || !in_array('tpl_editor', $modules)) && ($key = array_search('tpl_editor', $arrModules['design'])) !== false)
+		{
+			unset($arrModules['design'][$key]);
+		}
+
 		return $arrModules;
 	}
 

diff --git a/src/Resources/contao/dca/tl_user_group.php b/src/Resources/contao/dca/tl_user_group.php
@@ -293,21 +293,36 @@ public function addIcon($row, $label)
 	/**
 	 * Return all modules except profile modules
 	 *
+	 * @param DataContainer $dc
+	 *
 	 * @return array
 	 */
-	public function getModules()
+	public function getModules(DataContainer $dc)
 	{
 		$arrModules = array();
 
 		foreach ($GLOBALS['BE_MOD'] as $k=>$v)
 		{
 			if (!empty($v))
 			{
-				unset($v['undo']);
 				$arrModules[$k] = array_keys($v);
 			}
 		}
 
+		// Unset the undo module as it is always allowed
+		if (($key = array_search('undo', $arrModules['system'])) !== false)
+		{
+			unset($arrModules['system'][$key]);
+		}
+
+		$modules = Contao\StringUtil::deserialize($dc->activeRecord->modules);
+
+		// Unset the template editor unless the user is an administrator or has been granted access to the template editor
+		if (!$this->User->isAdmin && (!is_array($modules) || !in_array('tpl_editor', $modules)) && ($key = array_search('tpl_editor', $arrModules['design'])) !== false)
+		{
+			unset($arrModules['design'][$key]);
+		}
+
 		return $arrModules;
 	}