Fix admin permissions

README.md

@@ -27,7 +27,7 @@ XG Proyect (XGP) is an OGame clone open-source web application framework designe
 This is the simplest and easiest way if you're not a technical person. Download and install XG Proyect will be easy! ;)
 
  1. Go to [releases](https://github.com/XGProyect/XG-Proyect-v3.x.x/releases)
- 2. Look for the last version and then **assets** and finally look for the `.zip` file.
+ 2. Look for the last version and then **assets** and finally look for the `.zip` file
  3. Unzip the file, you'll see 2 files and 1 folder.
  4. Look for the contents of the `upload` folder, only what's inside this one is needed.
  5. Copy the contents of the `upload` folder to the root on your host. There are hidden files in it, be sure that those are copied over also, specially the `.htaccess` file.

app/Http/Controllers/Adm/HomeController.php

@@ -30,11 +30,6 @@ public function __construct()
 
     public function index(): void
     {
-        // check if the user is allowed to access
-        if (!Administration::authorization(__CLASS__, (int) $this->user['user_authlevel'])) {
-            die(Administration::noAccessMessage($this->langs->line('no_permissions')));
-        }
-
         // build the page
         $this->buildPage();
     }

app/Http/Controllers/Adm/MakerController.php

@@ -126,6 +126,11 @@ private function makeUser(): array
                 }
             }
 
+            if ($auth >= $this->user['user_authlevel']) {
+                $error .= $this->langs->line('mk_user_invalid_auth_level');
+                $i++;
+            }
+
             if ($i == 0) {
                 $this->makerModel->createNewUser($name, $email, $auth, $pass, $galaxy, $system, $planet);
 
@@ -355,6 +360,7 @@ private function buildLevelCombo(): array
         ];
 
         foreach ($ranks as $rank_id) {
+            if($this->user['user_authlevel'] <= $rank_id) continue;
             $user_levels[] = [
                 'id' => $rank_id,
                 'name' => $this->langs->language['user_level'][$rank_id],

app/Http/Controllers/Adm/UsersController.php

@@ -81,6 +81,10 @@ private function buildPage(): void
                 // initial data
                 $this->_user_query = $this->usersModel->getUserDataById($this->_id);
 
+                if($this->_user_query['user_authlevel'] > $this->user['user_authlevel']) {
+                    die(Administration::noAccessMessage($this->langs->line('no_permissions')));
+                }
+
                 // save the data
                 if (isset($_POST['send_data']) && $_POST['send_data']) {
                     $this->saveData($type);
@@ -485,6 +489,14 @@ private function saveInfo()
             $errors .= $this->langs->line('us_error_authlevel') . '<br />';
         }
 
+        if ($authlevel != $this->user['user_authlevel'] && $this->user['user_id'] == $this->_user_query['user_id']) {
+            $errors .= $this->langs->line('us_error_authlevel_yourown') . '<br />';
+        }
+
+        if ($authlevel > $this->user['user_authlevel']) {
+            $errors .= $this->langs->line('us_error_invalid_auth_level') . '<br />';
+        }
+
         if ($id_planet <= 0) {
             $errors .= $this->langs->line('us_error_idplanet') . '<br />';
         }
@@ -1263,6 +1275,7 @@ private function buildUsersRolesList()
         ];
 
         foreach ($roles as $role) {
+            if($this->user['user_authlevel'] < $role) continue;
             $roles_list[] = [
                 'role_id' => $role,
                 'role_sel' => ($role == $this->_user_query['user_authlevel'] ? 'selected' : ''),

app/Libraries/Adm/AdministrationLib.php

@@ -66,7 +66,7 @@ public static function installDirExists()
      */
     public static function authorization(string $module, int $user_level)
     {
-        $cleaned_module_name = strtolower(substr(strrchr($module, '\\'), 1));
+        $cleaned_module_name = substr(strtolower(substr(strrchr($module, '\\'), 1)), 0, -10);
         $permissions = new Permissions(Functions::readConfig('admin_permissions'));
 
         return $permissions->isAccessAllowed($cleaned_module_name, $user_level);

resources/lang/english/adm/maker_lang.php

@@ -50,5 +50,6 @@
     'mk_user_existing_email' => 'Email already exists<br>',
     'mk_user_existing_planet' => 'Planet already exists<br>',
     'mk_user_invalid_password' => 'Invalid password. It must contain more than 4 characters<br>',
+    'mk_user_invalid_auth_level' => 'Invalid level. The user level must be lower than yours<br>',
     'mk_user_added' => 'User added with the password: %s',
 ];

resources/lang/english/adm/users_lang.php

@@ -48,6 +48,8 @@
     'us_error_username' => 'Username empty on already taken',
     'us_error_email' => 'Email empty or already taken',
     'us_error_authlevel' => 'The user level can not be empty and must be between 0 and 3',
+    'us_error_authlevel_yourown' => 'You cannot change your user level on your own',
+    'us_error_invalid_auth_level' => 'Invalid level. The user level must be lower than or equal yours',
     'us_error_idplanet' => 'The planet can not be empty',
     'us_error_current_planet' => 'The current user planet can not be empty',
     'us_error_ally_id' => 'The user alliance can not be empty',

resources/lang/spanish/adm/maker_lang.php

@@ -50,5 +50,6 @@
     'mk_user_existing_email' => 'El email ingresado ya existe<br>',
     'mk_user_existing_planet' => 'El planeta ingresado ya existe<br>',
     'mk_user_invalid_password' => 'La clave ingresada no es válida. Debe tener 4 caracteres como mínimo.<br>',
+    'mk_user_invalid_auth_level' => 'Nivel no válido. El nivel de usuario debe ser inferior al tuyo.<br>',
     'mk_user_added' => 'Usuario agregado con la clave: %s',
 ];

resources/lang/spanish/adm/users_lang.php

@@ -48,6 +48,8 @@
     'us_error_username' => 'Nombre de usuario vacío o ya existente',
     'us_error_email' => 'Email vacío o existente',
     'us_error_authlevel' => 'El nivel del usuario no puede estar vacío y debe estar entre 0 y 3',
+    'us_error_authlevel_yourown' => 'No puedes cambiar tu nivel de usuario por tu cuenta',
+    'us_error_invalid_auth_level' => 'Nivel no válido. El nivel de usuario debe ser inferior o igual al tuyo',
     'us_error_idplanet' => 'El planeta del usuario no puede estar vacío',
     'us_error_current_planet' => 'El planeta actual del usuario no puede estar vacío',
     'us_error_ally_id' => 'La alianza del usuario no puede estar vacía',