Restrict private preferences

Dirty hack awaiting more flexible solution.
textpattern · Nov 15, 2019 · cfc0c99 · cfc0c99
1 parent d30e510
commit cfc0c99
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 6 deletions.
diff --git a/textpattern/include/txp_prefs.php b/textpattern/include/txp_prefs.php
@@ -158,7 +158,7 @@ function prefs_save()
 
 function prefs_list($message = '')
 {
-    global $prefs, $txp_user;
+    global $prefs, $txp_user, $txp_options;
 
     extract($prefs);
 
@@ -171,8 +171,14 @@ function prefs_list($message = '')
     // TODO: remove 'custom' when custom fields are refactored.
     $core_events = array('site', 'admin', 'publish', 'feeds', 'comments', 'custom');
     $joined_core = join(',', quote_list($core_events));
+    $level = has_privs();
 
     $sql = array();
+    foreach($txp_options as $pref => $option) {
+        if (is_array($option) && isset($option[0])) {
+            $sql[] = "(name != '".doSlash($pref)."' OR $level IN(".$option[0]."))";
+        }
+    }
     $sql[] = 'event != "" AND type IN('.PREF_CORE.', '.PREF_PLUGIN.')';
     $sql[] = "(user_name = '' OR (user_name = '".doSlash($txp_user)."' AND name NOT IN (
             SELECT name FROM ".safe_pfx('txp_prefs')." WHERE user_name = ''

diff --git a/textpattern/lib/admin_config.php b/textpattern/lib/admin_config.php
@@ -129,6 +129,7 @@
         'prefs.comments' => '1,2'
     ),
     'enable_dev_preview' => array(
-        'skin.preview' => '1,2,      6'
+        0 => '1,2,      6',
+        'skin.preview' => true
     )
 );
diff --git a/textpattern/lib/txplib_misc.php b/textpattern/lib/txplib_misc.php
@@ -459,7 +459,7 @@ function get_groups()
  * }
  */
 
-function has_privs($res, $user = '')
+function has_privs($res = null, $user = '')
 {
     global $txp_user, $txp_permissions;
     static $privs;
@@ -482,7 +482,9 @@ function has_privs($res, $user = '')
                 safe_field("privs", 'txp_users', "name = '".doSlash($user)."'");
         }
 
-        if (isset($txp_permissions[$res]) && $privs[$user] && $txp_permissions[$res]) {
+        if (!isset($res)) {
+            return $privs[$user];
+        } elseif (isset($txp_permissions[$res]) && $privs[$user] && $txp_permissions[$res]) {
             return in_list($privs[$user], $txp_permissions[$res]);
         }
     }
@@ -532,13 +534,17 @@ function add_privs($res, $perm = '1')
 {
     global $txp_permissions;
 
-    is_array($res) or $res = array($res => $perm);
+    if (is_array($res)) {
+        unset($res[0]);
+    } else {
+        $res = array($res => $perm);
+    }
 
     foreach($res as $priv => $group) {
         if ($group === null) {
             unset($txp_permissions[$priv]);
         } elseif (!isset($txp_permissions[$priv])) {
-            $group = join(',', do_list_unique($group));
+            $group = $group === true ? has_privs() : join(',', do_list_unique($group));
             $txp_permissions[$priv] = $group;
         }
     }