From fae13defa5d036e4f98a8f50dca3f140d9c35ec5 Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Fri, 22 Feb 2019 10:05:50 +0100
Subject: [PATCH] Added super user flag.

---
 .../2019_02_22_084055_super_user_flag.php     | 20 +++++++++++++++++++
 public/manage/users.php                       | 19 +++++++++---------
 public/profile.php                            |  2 +-
 src/Users/user.php                            | 17 ++++++++++++++++
 4 files changed, 48 insertions(+), 10 deletions(-)
 create mode 100644 database/2019_02_22_084055_super_user_flag.php

diff --git a/database/2019_02_22_084055_super_user_flag.php b/database/2019_02_22_084055_super_user_flag.php
new file mode 100644
index 00000000..5e75a988
--- /dev/null
+++ b/database/2019_02_22_084055_super_user_flag.php
@@ -0,0 +1,20 @@
+<?php
+namespace Misuzu\DatabaseMigrations\SuperUserFlag;
+
+use PDO;
+
+function migrate_up(PDO $conn): void
+{
+    $conn->exec("
+        ALTER TABLE `msz_users`
+            ADD COLUMN `user_super` TINYINT(1) UNSIGNED NOT NULL DEFAULT '0' AFTER `last_ip`;
+    ");
+}
+
+function migrate_down(PDO $conn): void
+{
+    $conn->exec("
+        ALTER TABLE `msz_users`
+            DROP COLUMN `user_super`;
+    ");
+}
diff --git a/public/manage/users.php b/public/manage/users.php
index 38cff514..25721a44 100644
--- a/public/manage/users.php
+++ b/public/manage/users.php
@@ -1,7 +1,8 @@
 <?php
 require_once '../../misuzu.php';
 
-$userPerms = perms_get_user(MSZ_PERMS_USER, user_session_current('user_id', 0));
+$currentUserId = user_session_current('user_id', 0);
+$userPerms = perms_get_user(MSZ_PERMS_USER, $currentUserId);
 $isPostRequest = $_SERVER['REQUEST_METHOD'] === 'POST';
 
 tpl_vars([
@@ -102,7 +103,7 @@ switch ($_GET['v'] ?? null) {
         if ($isPostRequest) {
             if (!csrf_verify('users_edit', $_POST['csrf'] ?? '')) {
                 $notices[] = "Couldn't verify the request.";
-            } elseif (!user_check_authority(user_session_current('user_id'), $userId)) {
+            } elseif (!user_check_super($currentUserId) && !user_check_authority($currentUserId, $userId)) {
                 $notices[] = 'You are not allowed to administer this user.';
             } else {
                 $setUserInfo = [];
@@ -205,7 +206,7 @@ switch ($_GET['v'] ?? null) {
                     }
                 }
 
-                if (isset($_POST['add_role']) && user_role_check_authority(user_session_current('user_id'), (int)$_POST['add_role']['role'])) {
+                if (isset($_POST['add_role']) && user_role_check_authority($currentUserId, (int)$_POST['add_role']['role'])) {
                     user_role_add($userId, $_POST['add_role']['role']);
                 }
 
@@ -216,7 +217,7 @@ switch ($_GET['v'] ?? null) {
                             break;
 
                         case 'remove':
-                            if ((int)$_POST['manage_roles']['role'] !== MSZ_ROLE_MAIN && user_role_check_authority(user_session_current('user_id'), (int)$_POST['manage_roles']['role'])) {
+                            if ((int)$_POST['manage_roles']['role'] !== MSZ_ROLE_MAIN && user_role_check_authority($currentUserId, (int)$_POST['manage_roles']['role'])) {
                                 user_role_remove($userId, $_POST['manage_roles']['role']);
                             }
                             break;
@@ -315,9 +316,9 @@ switch ($_GET['v'] ?? null) {
 
             $roleHierarchy = (int)($_POST['role']['hierarchy'] ?? -1);
 
-            if ($roleId === null
-                    ? (user_get_hierarchy(user_session_current('user_id')) <= $roleHierarchy)
-                    : !user_role_check_authority(user_session_current('user_id'), $roleId)) {
+            if (!user_check_super($currentUserId) && ($roleId === null
+                    ? (user_get_hierarchy($currentUserId) <= $roleHierarchy)
+                    : !user_role_check_authority($currentUserId, $roleId))) {
                 echo 'Your hierarchy is too low to do this.';
                 break;
             }
@@ -534,7 +535,7 @@ switch ($_GET['v'] ?? null) {
 
                 $warningsUser = (int)($_POST['warning']['user'] ?? 0);
 
-                if (!user_check_authority(user_session_current('user_id'), $warningsUser)) {
+                if (!user_check_super($currentUserId) && !user_check_authority($currentUserId, $warningsUser)) {
                     $notices[] = 'You do not have authority over this user.';
                 }
 
@@ -542,7 +543,7 @@ switch ($_GET['v'] ?? null) {
                     $warningId = user_warning_add(
                         $warningsUser,
                         user_get_last_ip($warningsUser),
-                        user_session_current('user_id'),
+                        $currentUserId,
                         ip_remote_address(),
                         $warningType,
                         $_POST['warning']['note'],
diff --git a/public/profile.php b/public/profile.php
index 0114b8c5..b1d38bd3 100644
--- a/public/profile.php
+++ b/public/profile.php
@@ -114,7 +114,7 @@ switch ($mode) {
         $userPerms = perms_get_user(MSZ_PERMS_USER, user_session_current('user_id', 0));
         $canManageWarnings = perms_check($userPerms, MSZ_PERM_USER_MANAGE_WARNINGS);
         $canEdit = !$isRestricted && user_session_active() && (
-            $viewingOwnProfile || (perms_check($userPerms, MSZ_PERM_USER_MANAGE_USERS) && user_check_authority(user_session_current('user_id', 0), $userId))
+            $viewingOwnProfile || user_check_super($userId) || (perms_check($userPerms, MSZ_PERM_USER_MANAGE_USERS) && user_check_authority(user_session_current('user_id', 0), $userId))
         );
         $isEditing = $mode === 'edit';
 
diff --git a/src/Users/user.php b/src/Users/user.php
index 7c610b63..79249195 100644
--- a/src/Users/user.php
+++ b/src/Users/user.php
@@ -212,6 +212,23 @@ function user_get_last_ip(int $userId): string
     return $getAddress->execute() ? $getAddress->fetchColumn() : '';
 }
 
+function user_check_super(int $userId): bool
+{
+    static $superUsers = [];
+
+    if (!isset($superUsers[$userId])) {
+        $checkSuperUser = db_prepare("
+            SELECT `user_super`
+            FROM `msz_users`
+            WHERE `user_id` = :user_id
+        ");
+        $checkSuperUser->bindValue('user_id', $userId);
+        $superUsers[$userId] = (bool)($checkSuperUser->execute() ? $checkSuperUser->fetchColumn() : false);
+    }
+
+    return $superUsers[$userId];
+}
+
 function user_check_authority(int $userId, int $subjectId, bool $canManageSelf = true): bool
 {
     if ($canManageSelf && $userId === $subjectId) {