Prevent users from granting permissions they don't have

Prevents users from granting permissions that they themselves do not have. Fixes #1673, and is a partial solution to #2367. However, this still does not address the issue of being able to assign / manage groups that have permissions that the user doing the management does not themselves have. That will have to be addressed separately as a part of #2367.

modules/backend/formwidgets/PermissionEditor.php

@@ -44,7 +44,7 @@ class PermissionEditor extends FormWidgetBase
         }
 
         $this->vars['checkboxMode'] = $this->getControlMode() === 'checkbox';
-        $this->vars['permissions'] = BackendAuth::listTabbedPermissions();
+        $this->vars['permissions'] = $this->getFilteredPermissions();
         $this->vars['baseFieldName'] = $this->getFieldName();
         $this->vars['permissionsData'] = $permissionsData;
         $this->vars['field'] = $this->formField;
@@ -75,4 +75,30 @@ class PermissionEditor extends FormWidgetBase
     {
         return strlen($this->mode) ? $this->mode : 'radio';
     }
+
+    /**
+     * Returns the available permissions; removing those that the logged-in user does not have access to
+     *
+     * @return array The permissions that the logged-in user does have access to
+     */
+    protected function getFilteredPermissions()
+    {
+        $permissions = BackendAuth::listTabbedPermissions();
+        $user = BackendAuth::getUser();
+        foreach ($permissions as $tab => $permissionsArray) {
+            foreach ($permissionsArray as $index => $permission) {
+                if (!$user->hasAccess($permission->code)) {
+                    unset($permissionsArray[$index]);
+                }
+            }
+
+            if (empty($permissionsArray)) {
+                unset($permissions[$tab]);
+            } else {
+                $permissions[$tab] = $permissionsArray;
+            }
+        }
+
+        return $permissions;
+    }
 }