From bd683d840410788b6757d4bc700561fc820c75e0 Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Tue, 25 Jul 2023 14:52:51 +0000
Subject: [PATCH] Allow moderators to view a stripped down version of the user
 page in the broom closet.

---
 public-legacy/manage/users/user.php | 23 ++++++++++++++++-------
 templates/manage/users/user.twig    | 24 +++++++++++++-----------
 2 files changed, 29 insertions(+), 18 deletions(-)

diff --git a/public-legacy/manage/users/user.php b/public-legacy/manage/users/user.php
index f5e785b..8f188c7 100644
--- a/public-legacy/manage/users/user.php
+++ b/public-legacy/manage/users/user.php
@@ -6,15 +6,25 @@ use Index\Colour\Colour;
 use Misuzu\Users\User;
 use Misuzu\Users\UserRole;
 
-if(!User::hasCurrent() || !perms_check_user(MSZ_PERMS_USER, User::getCurrent()->getId(), MSZ_PERM_USER_MANAGE_USERS)) {
+if(!User::hasCurrent()) {
+    echo render_error(403);
+    return;
+}
+
+$currentUser = User::getCurrent();
+$currentUserId = $currentUser->getId();
+
+$canManageUsers = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_USERS);
+$canManagePerms = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_PERMS);
+$canManageNotes = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_NOTES);
+
+if(!$canManageUsers && !$canManageNotes) {
     echo render_error(403);
     return;
 }
 
 $notices = [];
 $userId = (int)filter_input(INPUT_GET, 'u', FILTER_SANITIZE_NUMBER_INT);
-$currentUser = User::getCurrent();
-$currentUserId = $currentUser->getId();
 
 try {
     $userInfo = User::byId($userId);
@@ -23,10 +33,9 @@ try {
     return;
 }
 
-$canEdit = $currentUser->hasAuthorityOver($userInfo);
-$canEditPerms = $canEdit && perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_PERMS);
-$canManageNotes = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_NOTES);
-$permissions = manage_perms_list(perms_get_user_raw($userId));
+$canEdit = $canManageUsers && $currentUser->hasAuthorityOver($userInfo);
+$canEditPerms = $canEdit && $canManagePerms;
+$permissions = $canEditPerms ? manage_perms_list(perms_get_user_raw($userId)) : [];
 
 if(CSRF::validateRequest() && $canEdit) {
     if(!empty($_POST['impersonate_user'])) {
diff --git a/templates/manage/users/user.twig b/templates/manage/users/user.twig
index 39b28dc..c5ba1f0 100644
--- a/templates/manage/users/user.twig
+++ b/templates/manage/users/user.twig
@@ -176,19 +176,21 @@
             </form>
         {% endif %}
 
-        <form method="post" action="{{ url('manage-user', {'user': user_info.id}) }}" class="container manage__user__container">
-            {{ container_title('Permissions for ' ~ user_info.username ~ ' (' ~ user_info.id ~ ')') }}
+        {% if permissions is not empty %}
+            <form method="post" action="{{ url('manage-user', {'user': user_info.id}) }}" class="container manage__user__container">
+                {{ container_title('Permissions for ' ~ user_info.username ~ ' (' ~ user_info.id ~ ')') }}
 
-            {{ permissions_table(permissions, not can_edit_perms) }}
+                {{ permissions_table(permissions, not can_edit_perms) }}
 
-            {% if can_edit_perms %}
-                {{ input_csrf() }}
+                {% if can_edit_perms %}
+                    {{ input_csrf() }}
 
-                <div class="manage__user__buttons">
-                    <button class="input__button manage__user__button">Save</button>
-                    <button class="input__button manage__user__button" type="reset">Reset</button>
-                </div>
-            {% endif %}
-        </form>
+                    <div class="manage__user__buttons">
+                        <button class="input__button manage__user__button">Save</button>
+                        <button class="input__button manage__user__button" type="reset">Reset</button>
+                    </div>
+                {% endif %}
+            </form>
+        {% endif %}
     </div>
 {% endblock %}