From 457c946946b7495a7de6bddbc591d1672905c610 Mon Sep 17 00:00:00 2001
From: Yasen Pramatarov <yasen@lindeas.com>
Date: Sun, 27 Apr 2025 15:48:07 +0300
Subject: [PATCH] Adds some user right restrictions

---
 app/pages/config.php        | 3 ++-
 app/templates/config.php    | 3 ++-
 app/templates/page-menu.php | 5 ++++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/pages/config.php b/app/pages/config.php
index 48c80be..e944722 100644
--- a/app/pages/config.php
+++ b/app/pages/config.php
@@ -114,7 +114,8 @@ if (!$isAjax) {
      * Handles GET requests to display templates.
      */
 
-    if ($userObject->hasRight($userId, 'view config file')) {
+    if ($userObject->hasRight($userId, 'superuser') ||
+      $userObject->hasRight($userId, 'view config file')) {
         include '../app/templates/config.php';
     } else {
         $logObject->insertLog($userId, "Unauthorized: User \"$currentUser\" tried to access \"config\" page. IP: $user_IP", 'system');
diff --git a/app/templates/config.php b/app/templates/config.php
index eda1801..cb6180a 100644
--- a/app/templates/config.php
+++ b/app/templates/config.php
@@ -17,7 +17,8 @@
                 <i class="fas fa-wrench me-2 text-secondary"></i>
                 <?= htmlspecialchars($config['site_name']) ?> app configuration
             </h5>
-<?php if ($userObject->hasRight($userId, 'edit config file')) { ?>
+<?php if ($userObject->hasRight($userId, 'superuser') ||
+          $userObject->hasRight($userId, 'edit config file')) { ?>
             <div>
                 <button type="button" class="btn btn-outline-primary btn-sm toggle-edit" <?= !$isWritable ? 'disabled' : '' ?>>
                     <i class="fas fa-edit me-2"></i>Edit
diff --git a/app/templates/page-menu.php b/app/templates/page-menu.php
index 037fedf..6b5a2bd 100644
--- a/app/templates/page-menu.php
+++ b/app/templates/page-menu.php
@@ -65,12 +65,15 @@
                     </a>
                     <div class="dropdown-menu dropdown-menu-right">
                         <h6 class="dropdown-header">system</h6>
-<?php   if ($userObject->hasRight($userId, 'view config file')) {?>
+<?php if ($userObject->hasRight($userId, 'superuser') ||
+          $userObject->hasRight($userId, 'view config file')) {?>
                         <a class="dropdown-item" href="<?= htmlspecialchars($app_root) ?>?page=config">
                             <i class="fas fa-wrench"></i>Configuration
                         </a>
 <?php   } ?>
 <?php   if ($userObject->hasRight($userId, 'superuser') ||
+          $userObject->hasRight($userId, 'view config file') ||
+          $userObject->hasRight($userId, 'edit config file') ||
           $userObject->hasRight($userId, 'edit whitelist') ||
           $userObject->hasRight($userId, 'edit blacklist') ||
           $userObject->hasRight($userId, 'edit ratelimiting')) { ?>