Issue #5064 - Draft fix for user impersonation (getperms())

class2.php

@@ -1317,8 +1317,17 @@ function check_class($var, $userclass = null, $uid = 0)
 function getperms($arg, $ap = ADMINPERMS, $path = e_SELF)
 {
 	// $ap = "4"; // Just for testing.
+	if(trim($ap) === '')
+	{
+		return false;
+	}
 
-	if(!deftrue('ADMIN') || trim($ap) === '')
+	if(deftrue('USE_NEW_GETPERMS')) // Add to e107_config.php.
+	{
+		return e107::getUser()->checkAdminPerms($arg,$ap,$path);
+	}
+
+	if(!deftrue('ADMIN'))
 	{
 		return false;
 	}
@@ -1630,6 +1639,13 @@ function init_session()
 		define('USERJOINED', '');
 		define('e_CLASS_REGEXP', '(^|,)(253|254|250|251|0)(,|$)');
 		define('e_NOBODY_REGEXP', '(^|,)255(,|$)');
+
+		/* $user->set('user_id', 1);
+		$user->set('user_name','e107-cli');
+		$user->set('user_admin', 1);
+		$user->set('user_perms', '0');
+		$user->set('user_class', '');
+		$user->set('user_join', '');*/
 		return;
 	}
 

e107_handlers/user_model.php

@@ -646,13 +646,70 @@ final public function checkClass($class, $allowMain = true)
 	}
 
 	/**
-	 * @param $perm_str
+	 * @param str   $arg
+	 * @param str   $ap
+	 * @param str   $path
 	 * @return bool
 	 */
-	final public function checkAdminPerms($perm_str)
+	final public function checkAdminPerms($arg, $ap = null, $path = null)
 	{
 		// FIXME - method to replace getperms()
-		return ($this->isAdmin() && getperms($perm_str, $this->getAdminPerms()));
+
+		if(!$this->isAdmin())
+		{
+			return false;
+		}
+
+		if($ap === null)
+		{
+			$ap = $this->getAdminPerms();
+		}
+
+		if($arg === 0) // Common-error avoidance with getperms(0)
+		{
+			$arg = '0';
+		}
+
+		if ($ap === '0' || $ap === '0.') // BC fix.
+		{
+			return true;
+		}
+
+		if ($arg === 'P' && !empty($path) && preg_match('#(.*?)/' .e107::getInstance()->getFolder('plugins'). '(.*?)/(.*?)#', $path, $matches))
+		{
+			$sql = e107::getDb('psql');
+		/*	$id = e107::getPlug()->load($matches[2])->getId();
+			$arg = 'P'.$id;*/
+
+			if ($sql->select('plugin', 'plugin_id', "plugin_path = '".$matches[2]."' LIMIT 1 "))
+			{
+				$row = $sql->fetch();
+				$arg = 'P'.$row['plugin_id'];
+			}
+		}
+
+		$ap_array = explode('.',$ap);
+
+		if (in_array($arg,$ap_array,false))
+		{
+			return true;
+		}
+
+		if(strpos($arg, "|"))
+		{
+	        $tmp = explode("|", $arg);
+			foreach($tmp as $val)
+			{
+			    if(in_array($val,$ap_array))
+				{
+					return true;
+				}
+			}
+		}
+
+
+		return false;
+		//return ($this->isAdmin() && getperms($perm_str, $this->getAdminPerms()));
 	}
 
 	/**

e107_languages/English/admin/help/menus.php

@@ -10,7 +10,7 @@
 
 if(!defined('e107_INIT')){ exit; }
 
-if (!getperms("2")) 
+if (!getperms("2") && !e107::isCli())
 {
 	e107::redirect();
 	exit;

e107_tests/tests/unit/class2Test.php

@@ -11,8 +11,22 @@
 
 	class class2Test extends \Codeception\Test\Unit
 	{
+		public $usr;
+		/*protected function _before()
+		{
+
+			try
+			{
+				$this->usr = $this->make('e_user_model');
+			}
+			catch(Exception $e)
+			{
+				$this->fail( "Couldn't load e_user_model object");
+			}
 
+			e107::getUser()->load(1); // load user_id  = 1.
 
+		}*/
 
 		function testLoadClass2()
 		{
@@ -23,6 +37,11 @@ function testLoadClass2()
 
 		function testGetPerms()
 		{
+		//	$this->markTestSkipped("Skipped - CLI mode changes behavior.");
+			// See class2.php Line 1643
+
+			$result = getperms('N', '5');
+			$this->assertFalse($result);
 
 			$result = getperms('N', '0');
 			$this->assertTrue($result);
@@ -47,6 +66,12 @@ function testGetPerms()
 
 		}
 
+		function testUserModel()
+		{
+			$result = e107::getUser();
+			var_dump($result);
+		}
+
 
 
 		function testCheckClass()

e107_tests/tests/unit/languageTest.php

@@ -17,7 +17,7 @@ protected function _before()
 
 			catch(Exception $e)
 			{
-				$this->assertTrue(false, $e->getMessage());
+				$this->fail( $e->getMessage());
 			}
 
 		}