-
-
Notifications
You must be signed in to change notification settings - Fork 826
/
SelfDemotionGuard.php
59 lines (49 loc) · 1.6 KB
/
SelfDemotionGuard.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<?php
/*
* This file is part of Flarum.
*
* (c) Toby Zerner <toby.zerner@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Flarum\User;
use Flarum\Group\Group;
use Flarum\User\Event\Saving;
use Flarum\User\Exception\PermissionDeniedException;
use Illuminate\Support\Arr;
class SelfDemotionGuard
{
/**
* Prevent an admin from removing their admin permission via the API.
* @param Saving $event
* @throws PermissionDeniedException
*/
public function handle(Saving $event)
{
// Non-admin users pose no problem
if (! $event->actor->isAdmin()) {
return;
}
// Only admins can demote users, which means demoting other users is
// fine, because we still have at least one admin (the actor) left
if ($event->actor->id !== $event->user->id) {
return;
}
$groups = Arr::get($event->data, 'relationships.groups.data');
// If there is no group data (not even an empty array), this means
// groups were not changed (and thus not removed) - we're fine!
if (! isset($groups)) {
return;
}
$adminGroups = array_filter($groups, function ($group) {
return $group['id'] == Group::ADMINISTRATOR_ID;
});
// As long as the user is still part of the admin group, all is good
if ($adminGroups) {
return;
}
// If we get to this point, we have to prohibit the edit
throw new PermissionDeniedException;
}
}