Prevent expert editing mode from anyone else than super users [#2094]

2026-05-06 09:47:31 +02:00 · 2021-03-31 12:16:40 +03:00
parent 49348067a5
commit c97177e0ee
4 changed files with 7 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
    * Fixed issue where Adding a new page and canceling from within Editing would alter the Parent location of the edited page [#2067](https://github.com/getgrav/grav-plugin-admin/issues/2067)
    * Fixed and enhanced Range field to be Lists compatible [#2062](https://github.com/getgrav/grav-plugin-admin/issues/2062)
    * Fixed ERR_TOO_MANY_REDIRECTS with HTTPS = 'On' [#2100](https://github.com/getgrav/grav-plugin-admin/issues/2100)
+    * Prevent expert editing mode from anyone else than super users [#2094](https://github.com/getgrav/grav-plugin-admin/issues/2094)

 # v1.10.8
 ## 03/19/2021
--- a/admin.php
+++ b/admin.php
@@ -512,10 +512,10 @@ class AdminPlugin extends Plugin
        $this->session = $this->grav['session'];

        // set session variable if it's passed via the url
-        if ($this->uri->param('mode') === 'expert') {
-            $this->session->expert = true;
-        } elseif ($this->uri->param('mode') === 'normal') {
+        if (!$this->session->user->authorize('admin.super') || $this->uri->param('mode') === 'normal') {
            $this->session->expert = false;
+        } elseif ($this->uri->param('mode') === 'expert') {
+            $this->session->expert = true;
        } else {
            // set the default if not set before
            $this->session->expert = $this->session->expert ?? false;
--- a/themes/grav/templates/forms/fields/pagemedia/pagemedia.html.twig
+++ b/themes/grav/templates/forms/fields/pagemedia/pagemedia.html.twig
@@ -41,7 +41,7 @@
             data-dropzone-options="{{ dropzone_settings|json_encode|e('html_attr') }}"
             data-dropzone-field="{{ (scope ~ field.name)|fieldName }}"></div>

-        {% if admin.session.expert == '0' %}
+        {% if admin.session.expert == '0' or not user.authorize('admin.super') %}
        <input type="hidden" name="{{ (scope ~ field.name)|fieldName }}" value="{{ value|e }}" />
        {% endif %}
    </div>
--- a/themes/grav/templates/pages.html.twig
+++ b/themes/grav/templates/pages.html.twig
@@ -314,7 +314,7 @@
                    </div>
                {% endif %}

-                {% if context.blueprints.fields %}
+                {% if context.blueprints.fields and user.authorize('admin.super') %}
                {% set normalText = "PLUGIN_ADMIN.NORMAL"|tu %}
                {% set expertText = "PLUGIN_ADMIN.EXPERT"|tu %}
                {% set maxLen = max([normalText|length, expertText|length]) %}
@@ -338,7 +338,7 @@
                {% do context.header(current_form_data.header) %}
                {% do context.content(current_form_data.content) %}
            {% endif %}
-            {% if context.blueprints.fields and admin.session.expert == '0' %}
+            {% if (context.blueprints.fields and admin.session.expert == '0') or not user.authorize('admin.super') %}
                {% include 'partials/blueprints.html.twig' with { blueprints: context.blueprints, data: context } %}
            {% else %}
                {% include 'partials/blueprints-raw.html.twig' with { blueprints: admin.blueprints('admin/pages/'~modular~'raw'), data: context } %}