Allow moderators to view a stripped down version of the user page in the broom closet.

This commit is contained in:
flash 2023-07-25 14:52:51 +00:00
parent 3299d73df2
commit bd683d8404
2 changed files with 29 additions and 18 deletions

View file

@ -6,15 +6,25 @@ use Index\Colour\Colour;
use Misuzu\Users\User; use Misuzu\Users\User;
use Misuzu\Users\UserRole; use Misuzu\Users\UserRole;
if(!User::hasCurrent() || !perms_check_user(MSZ_PERMS_USER, User::getCurrent()->getId(), MSZ_PERM_USER_MANAGE_USERS)) { if(!User::hasCurrent()) {
echo render_error(403);
return;
}
$currentUser = User::getCurrent();
$currentUserId = $currentUser->getId();
$canManageUsers = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_USERS);
$canManagePerms = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_PERMS);
$canManageNotes = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_NOTES);
if(!$canManageUsers && !$canManageNotes) {
echo render_error(403); echo render_error(403);
return; return;
} }
$notices = []; $notices = [];
$userId = (int)filter_input(INPUT_GET, 'u', FILTER_SANITIZE_NUMBER_INT); $userId = (int)filter_input(INPUT_GET, 'u', FILTER_SANITIZE_NUMBER_INT);
$currentUser = User::getCurrent();
$currentUserId = $currentUser->getId();
try { try {
$userInfo = User::byId($userId); $userInfo = User::byId($userId);
@ -23,10 +33,9 @@ try {
return; return;
} }
$canEdit = $currentUser->hasAuthorityOver($userInfo); $canEdit = $canManageUsers && $currentUser->hasAuthorityOver($userInfo);
$canEditPerms = $canEdit && perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_PERMS); $canEditPerms = $canEdit && $canManagePerms;
$canManageNotes = perms_check_user(MSZ_PERMS_USER, $currentUserId, MSZ_PERM_USER_MANAGE_NOTES); $permissions = $canEditPerms ? manage_perms_list(perms_get_user_raw($userId)) : [];
$permissions = manage_perms_list(perms_get_user_raw($userId));
if(CSRF::validateRequest() && $canEdit) { if(CSRF::validateRequest() && $canEdit) {
if(!empty($_POST['impersonate_user'])) { if(!empty($_POST['impersonate_user'])) {

View file

@ -176,6 +176,7 @@
</form> </form>
{% endif %} {% endif %}
{% if permissions is not empty %}
<form method="post" action="{{ url('manage-user', {'user': user_info.id}) }}" class="container manage__user__container"> <form method="post" action="{{ url('manage-user', {'user': user_info.id}) }}" class="container manage__user__container">
{{ container_title('Permissions for ' ~ user_info.username ~ ' (' ~ user_info.id ~ ')') }} {{ container_title('Permissions for ' ~ user_info.username ~ ' (' ~ user_info.id ~ ')') }}
@ -190,5 +191,6 @@
</div> </div>
{% endif %} {% endif %}
</form> </form>
{% endif %}
</div> </div>
{% endblock %} {% endblock %}