Allow moderators to view a stripped down version of the user page in the broom closet.

2023-07-25 14:52:51 +00:00 · 2023-07-25 14:52:51 +00:00 · bd683d8404
parent 3299d73df2
commit bd683d8404
2 changed files with 29 additions and 18 deletions
--- a/public-legacy/manage/users/user.php
+++ b/public-legacy/manage/users/user.php
@ -6,15 +6,25 @@ use Index\Colour\Colour;
 use Misuzu\Users\User;
 use Misuzu\Users\UserRole;

-if(!User::hasCurrent() || !perms_check_user(MSZ_PERMS_USER, User::getCurrent()->getId(), MSZ_PERM_USER_MANAGE_USERS)) {
+if(!User::hasCurrent()) {
+    echo render_error(403);
+    return;
+}
+
+$currentUser = User::getCurrent();
+$currentUserId = $currentUser->getId();
+
+$canManageUsers = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_USERS);
+$canManagePerms = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_PERMS);
+$canManageNotes = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_NOTES);
+
+if(!$canManageUsers && !$canManageNotes) {
    echo render_error(403);
    return;
 }

 $notices = [];
 $userId = (int)filter_input(INPUT_GET, 'u', FILTER_SANITIZE_NUMBER_INT);
-$currentUser = User::getCurrent();
-$currentUserId = $currentUser->getId();

 try {
    $userInfo = User::byId($userId);
@ -23,10 +33,9 @@ try {
    return;
 }

-$canEdit = $currentUser->hasAuthorityOver($userInfo);
-$canEditPerms = $canEdit && perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_PERMS);
-$canManageNotes = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_NOTES);
-$permissions = manage_perms_list(perms_get_user_raw($userId));
+$canEdit = $canManageUsers && $currentUser->hasAuthorityOver($userInfo);
+$canEditPerms = $canEdit && $canManagePerms;
+$permissions = $canEditPerms ? manage_perms_list(perms_get_user_raw($userId)) : [];

 if(CSRF::validateRequest() && $canEdit) {
    if(!empty($_POST['impersonate_user'])) {
--- a/templates/manage/users/user.twig
+++ b/templates/manage/users/user.twig
@ -176,19 +176,21 @@
            </form>
        {% endif %}

-        <form method="post" action="{{ url('manage-user', {'user': user_info.id}) }}" class="container manage__user__container">
-            {{ container_title('Permissions for ' ~ user_info.username ~ ' (' ~ user_info.id ~ ')') }}
+        {% if permissions is not empty %}
+            <form method="post" action="{{ url('manage-user', {'user': user_info.id}) }}" class="container manage__user__container">
+                {{ container_title('Permissions for ' ~ user_info.username ~ ' (' ~ user_info.id ~ ')') }}

-            {{ permissions_table(permissions, not can_edit_perms) }}
+                {{ permissions_table(permissions, not can_edit_perms) }}

-            {% if can_edit_perms %}
-                {{ input_csrf() }}
+                {% if can_edit_perms %}
+                    {{ input_csrf() }}

-                <div class="manage__user__buttons">
-                    <button class="input__button manage__user__button">Save</button>
-                    <button class="input__button manage__user__button" type="reset">Reset</button>
-                </div>
-            {% endif %}
-        </form>
+                    <div class="manage__user__buttons">
+                        <button class="input__button manage__user__button">Save</button>
+                        <button class="input__button manage__user__button" type="reset">Reset</button>
+                    </div>
+                {% endif %}
+            </form>
+        {% endif %}
    </div>
 {% endblock %}