From 3146b3bc88645299b05cd2021c0e0f4a9ecd05fc Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Fri, 28 Dec 2018 17:35:55 +0100
Subject: [PATCH] Compare hierarchies before applying warnings.

---
 public/manage/users.php |  4 ++++
 src/Users/user.php      | 22 ++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/public/manage/users.php b/public/manage/users.php
index 06405ae4..0ee95102 100644
--- a/public/manage/users.php
+++ b/public/manage/users.php
@@ -514,6 +514,10 @@ switch ($_GET['v'] ?? null) {
 
                 $warningsUser = (int)($_POST['warning']['user'] ?? 0);
 
+                if (!user_check_authority(user_session_current('user_id'), $warningsUser)) {
+                    $notices[] = 'You do not have authority over this user.';
+                }
+
                 if (empty($notices) && $warningsUser > 0) {
                     $warningId = user_warning_add(
                         $warningsUser,
diff --git a/src/Users/user.php b/src/Users/user.php
index ca7c3f65..998b8ecf 100644
--- a/src/Users/user.php
+++ b/src/Users/user.php
@@ -169,6 +169,28 @@ function user_get_last_ip(int $userId): string
     return $getAddress->execute() ? $getAddress->fetchColumn() : '';
 }
 
+function user_check_authority(int $userId, int $subjectId): bool
+{
+    $checkHierarchy = db_prepare('
+        SELECT (
+            SELECT MAX(r.`role_hierarchy`)
+            FROM `msz_roles` AS r
+            LEFT JOIN `msz_user_roles` AS ur
+            ON ur.`role_id` = r.`role_id`
+            WHERE ur.`user_id` = :user_id
+        ) > (
+            SELECT MAX(r.`role_hierarchy`)
+            FROM `msz_roles` AS r
+            LEFT JOIN `msz_user_roles` AS ur
+            ON ur.`role_id` = r.`role_id`
+            WHERE ur.`user_id` = :subject_id
+        )
+    ');
+    $checkHierarchy->bindValue('user_id', $userId);
+    $checkHierarchy->bindValue('subject_id', $subjectId);
+    return (bool)($checkHierarchy->execute() ? $checkHierarchy->fetchColumn() : false);
+}
+
 define('MSZ_USER_ABOUT_MAX_LENGTH', 0xFFFF);
 
 define('MSZ_USER_ABOUT_OK', 0);