From 2046efb51d8682de9aca68881b378e0e3dcc44eb Mon Sep 17 00:00:00 2001
From: Luke Towers <github@luketowers.ca>
Date: Sun, 9 Jul 2017 20:24:17 -0600
Subject: [PATCH] Prevent users from granting permissions they don't have

Prevents users from granting permissions that they themselves do not have. Fixes #1673, and is a partial solution to #2367. However, this still does not address the issue of being able to assign / manage groups that have permissions that the user doing the management does not themselves have. That will have to be addressed separately as a part of #2367.
---
 .../backend/formwidgets/PermissionEditor.php  | 28 ++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/modules/backend/formwidgets/PermissionEditor.php b/modules/backend/formwidgets/PermissionEditor.php
index ebaa1692c..7b581b824 100644
--- a/modules/backend/formwidgets/PermissionEditor.php
+++ b/modules/backend/formwidgets/PermissionEditor.php
@@ -44,7 +44,7 @@ class PermissionEditor extends FormWidgetBase
         }
 
         $this->vars['checkboxMode'] = $this->getControlMode() === 'checkbox';
-        $this->vars['permissions'] = BackendAuth::listTabbedPermissions();
+        $this->vars['permissions'] = $this->getFilteredPermissions();
         $this->vars['baseFieldName'] = $this->getFieldName();
         $this->vars['permissionsData'] = $permissionsData;
         $this->vars['field'] = $this->formField;
@@ -75,4 +75,30 @@ class PermissionEditor extends FormWidgetBase
     {
         return strlen($this->mode) ? $this->mode : 'radio';
     }
+
+    /**
+     * Returns the available permissions; removing those that the logged-in user does not have access to
+     *
+     * @return array The permissions that the logged-in user does have access to
+     */
+    protected function getFilteredPermissions()
+    {
+        $permissions = BackendAuth::listTabbedPermissions();
+        $user = BackendAuth::getUser();
+        foreach ($permissions as $tab => $permissionsArray) {
+            foreach ($permissionsArray as $index => $permission) {
+                if (!$user->hasAccess($permission->code)) {
+                    unset($permissionsArray[$index]);
+                }
+            }
+
+            if (empty($permissionsArray)) {
+                unset($permissions[$tab]);
+            } else {
+                $permissions[$tab] = $permissionsArray;
+            }
+        }
+
+        return $permissions;
+    }
 }