Update user permissions so that admins cannot edit users with owner role

app/bootstrap/index.php

@@ -54,6 +54,7 @@ function setting(?string $key = null): mixed
     \Aurora\Core\Container::set('language', $lang);
     \Aurora\App\Permission::set($db->query('SELECT permission, role_level FROM roles_permissions ORDER BY permission')->fetchAll(\PDO::FETCH_KEY_PAIR), $_SESSION['user']['role'] ?? 0);
     \Aurora\App\Permission::addMethod('impersonate', fn($user) => ($user['status'] ?? false) && $user['role'] <= ($_SESSION['user']['role'] ?? 0) && \Aurora\App\Permission::can('impersonate'));
+    \Aurora\App\Permission::addMethod('edit_user', fn($user) => ($user['role'] ?? 0) <= ($_SESSION['user']['role'] ?? 0) && \Aurora\App\Permission::can('edit_users'));
     \Aurora\App\Setting::set($settings);
     \Aurora\App\Media::setDirectory(\Aurora\Core\Kernel::config('content'));
 

app/bootstrap/routes.php

@@ -372,7 +372,16 @@
             return json_encode([ 'errors' => [ $lang->get('no_permission') ] ]);
         }
 
-        if (!$user_mod->remove(array_filter(explode(',', $_POST['id']), fn($id) => $id != $_SESSION['user']['id']))) {
+        $ids = array_map(fn($id) => (int) $id, explode(',', $_POST['id']));
+        $valid_ids = [];
+
+        foreach ($user_mod->getPage(null, null, 'users.id IN (' . implode(',', $ids) . ')') as $user) {
+            if (\Aurora\App\Permission::edit_user($user) && $user['id'] != $_SESSION['user']['id']) {
+                $valid_ids[] = $user['id'];
+            }
+        }
+
+        if (!$user_mod->remove($valid_ids)) {
             http_response_code(500);
             return json_encode([ 'errors' => [ $lang->get('unexpected_error') ] ]);
         }

app/controllers/modules/User.php

@@ -207,7 +207,11 @@ public function checkFields(array $data, $id): array
             }
         }
 
-        if (!\Aurora\App\Permission::can('edit_users')) {
+        $can_edit = empty($id)
+            ? \Aurora\App\Permission::can('edit_users')
+            : \Aurora\App\Permission::edit_user($this->get([ 'id' => $id ]));
+
+        if (!$can_edit) {
             http_response_code(403);
             $errors[0] = $this->language->get('no_permission');
         }

app/views/admin/partials/lists/users.php

@@ -35,7 +35,7 @@
                         <?php if (\Aurora\App\Permission::impersonate($user)): ?>
                             <div onclick="if (confirm(LANG.impersonate_confirm)) location.href = '/admin/users/impersonate?id=' + <?= e(js($user['id'])) ?>"><?= $this->include('icons/users.svg') ?> <?= t('impersonate') ?></div>
                         <?php endif ?>
-                        <?php if (\Aurora\App\Permission::can('edit_users')): ?>
+                        <?php if (\Aurora\App\Permission::edit_user($user)): ?>
                             <div
                                 class="danger"
                                 onclick="confirm(LANG.delete_confirm.sprintf(<?= e(js($user['name'])) ?>)) && Form.send('/admin/users/remove', null, null, {

app/views/admin/user.php

@@ -8,7 +8,7 @@
 
 <?php $this->sectionStart('content') ?>
     <form id="user-form" class="content">
-        <?php $can_edit_user = \Aurora\App\Permission::can('edit_users'); ?>
+        <?php $can_edit_user = \Aurora\App\Permission::edit_user($user); ?>
         <div>
             <div class="page-title">
                 <?= $this->include('admin/partials/menu_btn.php') ?>