/** * Save entry * * @return void */ public function saveTask() { // Check for request forgeries Request::checkToken(); // Incoming password blacklist edits $fields = Request::getVar('fields', array(), 'post'); // Load the record $row = Accessgroup::oneOrNew($fields['id'])->set($fields); // Check the super admin permissions for group // We get the parent group permissions and then check the group permissions manually // We have to calculate the group permissions manually because we haven't saved the group yet $parentSuperAdmin = \JAccess::checkGroup($fields['parent_id'], 'core.admin'); // Get core.admin rules from the root asset $rules = \JAccess::getAssetRules('root.1')->getData('core.admin'); // Get the value for the current group (will be true (allowed), false (denied), or null (inherit) $groupSuperAdmin = $rules['core.admin']->allow($row->get('id')); // We only need to change the $groupSuperAdmin if the parent is true or false. Otherwise, the value set in the rule takes effect. if ($parentSuperAdmin === false) { // If parent is false (Denied), effective value will always be false $groupSuperAdmin = false; } elseif ($parentSuperAdmin === true) { // If parent is true (allowed), group is true unless explicitly set to false $groupSuperAdmin = $groupSuperAdmin === false ? false : true; } // Check for non-super admin trying to save with super admin group $iAmSuperAdmin = User::authorise('core.admin'); if (!$iAmSuperAdmin && $groupSuperAdmin) { Notify::error(Lang::txt('JLIB_USER_ERROR_NOT_SUPERADMIN')); return $this->editTask($row); } // Check for super-admin changing self to be non-super-admin // First, are we a super admin> if ($iAmSuperAdmin) { // Next, are we a member of the current group? $myGroups = \JAccess::getGroupsByUser(User::get('id'), false); if (in_array($fields['id'], $myGroups)) { // Now, would we have super admin permissions without the current group? $otherGroups = array_diff($myGroups, array($fields['id'])); $otherSuperAdmin = false; foreach ($otherGroups as $otherGroup) { $otherSuperAdmin = $otherSuperAdmin ? $otherSuperAdmin : \JAccess::checkGroup($otherGroup, 'core.admin'); } // If we would not otherwise have super admin permissions // and the current group does not have super admin permissions, throw an exception if (!$otherSuperAdmin && !$groupSuperAdmin) { Notify::error(Lang::txt('JLIB_USER_ERROR_CANNOT_DEMOTE_SELF')); return $this->editTask($row); } } } if ($this->getTask() == 'save2copy') { $row->set('id', null); } // Try to save if (!$row->save()) { Notify::error($row->getError()); return $this->editTask($row); } Notify::success(Lang::txt('COM_MEMBERS_SAVE_SUCCESS')); if ($this->getTask() == 'save2new') { $row = Accessgroup::blank(); } // Fall through to edit form if (in_array($this->getTask(), array('apply', 'save2new', 'save2copy'))) { return $this->editTask($row); } // Redirect $this->cancelTask(); }