From fa840d79f6cbd054830d0f4e345bf024da9f18a7 Mon Sep 17 00:00:00 2001
From: Luke Towers <luke@luketowers.ca>
Date: Sat, 14 Oct 2017 00:25:52 -0600
Subject: [PATCH] Improve support for three tier user system

This builds on https://github.com/octobercms/october/commit/4fd1ca824f7873b540d66d8b57c7e40b2308f172 by switching from a two tier approach to permissions (superusers and regular users), to a three tier approach (superusers (developer), second-in-command (clients with manage_users permissions), and regular users). If support for a four tier approach is necessary (Superuser, Franchise Owner, Franchise Business Manager, Franchise Staff as an example), then it can be implemented simply by adding a flag to roles that would prevent anyone except for a superuser from assigning that role.

The specific changes made by this commit is to support users with the manage_users permission (but who are not superusers) to be able to assign roles to other users and improvements to the sanctity of the superuser itself. Non-superusers can no longer see or edit superusers in the backend (that was previously poorly handled as a non-superuser with manage_users could take over a superuser account since they could modify that account willy-nilly), and the is_superuser filter is accordingly removed as well.
---
 modules/backend/controllers/Users.php | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/modules/backend/controllers/Users.php b/modules/backend/controllers/Users.php
index 14c12288a..ddc4c2961 100644
--- a/modules/backend/controllers/Users.php
+++ b/modules/backend/controllers/Users.php
@@ -49,6 +49,11 @@ class Users extends Controller
      */
     public function __construct()
     {
+        // Prevent non-superusers from even seeing the is_superuser filter
+        $this->listConfig = $this->makeConfig($this->listConfig);
+        $this->listConfig->filter = $this->makeConfig($this->listConfig->filter);
+        unset($this->listConfig->filter->scopes['is_superuser']);
+
         parent::__construct();
 
         if ($this->action == 'myaccount') {
@@ -59,6 +64,26 @@ class Users extends Controller
         SettingsManager::setContext('October.System', 'administrators');
     }
 
+    /**
+     * Extends the list query to hide superusers if the current user is not a superuser themselves
+     */
+    public function listExtendQuery($query)
+    {
+        if (!$this->user->isSuperUser()) {
+            $query->where('is_superuser', false);
+        }
+    }
+
+    /**
+     * Extends the form query to prevent non-superusers from accessing superusers at all
+     */
+    public function formExtendQuery($query)
+    {
+        if (!$this->user->isSuperUser()) {
+            $query->where('is_superuser', false);
+        }
+    }
+
     /**
      * Update controller
      */
@@ -114,7 +139,6 @@ class Users extends Controller
 
         if (!$this->user->isSuperUser()) {
             $form->removeField('is_superuser');
-            $form->removeField('role');
         }
 
         /*