Merge pull request #6694 from getkirby/enhancement/user-rules-validat…

…e-roles `UserRules::create()` validate roles
getkirby · Sep 24, 2024 · 09eea10 · 09eea10
2 parents 4b7a22c + cfd255b
commit 09eea10
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 1 deletion.
diff --git a/src/Cms/UserRules.php b/src/Cms/UserRules.php
@@ -198,13 +198,25 @@ public static function create(User $user, array $props = []): bool
 		// check user permissions (if not on install)
 		if (
 			$user->kirby()->users()->count() > 0 &&
-			$user->permissions()->can('create') !== true
+			$user->permissions()->create() !== true
 		) {
 			throw new PermissionException([
 				'key' => 'user.create.permission'
 			]);
 		}
 
+		$role = $props['role'] ?? null;
+
+		// prevent creating a role that is not available for user
+		if (
+			in_array($role, [null, 'default', 'nobody'], true) === false &&
+			$user->kirby()->roles('create')->find($role) instanceof Role === false
+		) {
+			throw new InvalidArgumentException([
+				'key' => 'user.role.invalid',
+			]);
+		}
+
 		return true;
 	}
 

diff --git a/tests/Cms/Users/UserRulesTest.php b/tests/Cms/Users/UserRulesTest.php
@@ -361,6 +361,53 @@ public function testCreatePermissions()
 		]);
 	}
 
+	public function testCreateInvalidRole()
+	{
+		$app = $this->app()->clone([
+			'users' => [
+				['email' => 'editor@getkirby.com', 'role' => 'editor']
+			]
+		]);
+
+		$app->impersonate('editor@getkirby.com');
+
+		$permissions = $this->createMock(UserPermissions::class);
+		$permissions->method('__call')->with('create')->willReturn(true);
+
+		$user = $this->createMock(User::class);
+		$user->method('kirby')->willReturn($app);
+		$user->method('permissions')->willReturn($permissions);
+		$user->method('id')->willReturn('test');
+		$user->method('email')->willReturn('test@getkirby.com');
+		$user->method('language')->willReturn('en');
+
+		// no role
+		$this->assertTrue(UserRules::create($user, [
+			'password' => 12345678
+		]));
+
+		// role: nobody
+		$this->assertTrue(UserRules::create($user, [
+			'password' => 12345678,
+			'role'     => 'nobody'
+		]));
+
+		// role: default
+		$this->assertTrue(UserRules::create($user, [
+			'password' => 12345678,
+			'role'     => 'default'
+		]));
+
+		// invalid role
+		$this->expectException(InvalidArgumentException::class);
+		$this->expectExceptionMessage('Please enter a valid role');
+
+		UserRules::create($user, [
+			'password' => 12345678,
+			'role'     => 'foo'
+		]);
+	}
+
 	public function testUpdate()
 	{
 		$app  = $this->appWithAdmin();