security: master user bypasses all tenant restrictions

Moved isMasterUser() check to top of enforceAdminRestrictions() so
master user is never blocked by any restriction including install
from URL, global config, sysinfo, installer, and template editing.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CHANGELOG.md

@@ -36,6 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Alias offline bypass: aliases with offline=No override Joomla's global offline setting, allowing access via alias domain while main site is down
 - Block non-master users from viewing or editing MokoWaaS plugin settings
+- Master user bypasses ALL tenant restrictions (install from URL, global config, sysinfo, installer, templates)
 
 ### Fixed
 - Install API endpoint: extract ZIP to temp directory before passing to Joomla Installer (was passing ZIP path directly)

src/packages/plg_system_mokowaas/Extension/MokoWaaS.php

@@ -3427,12 +3427,18 @@ class MokoWaaS extends CMSPlugin
 	 */
 	protected function enforceAdminRestrictions()
 	{
+		// Master user bypasses ALL restrictions
+		if ($this->isMasterUser())
+		{
+			return;
+		}
+
 		$input  = $this->app->input;
 		$option = $input->get('option', '');
 		$view   = $input->get('view', '');
 		$task   = $input->get('task', '');
 
-		// Disable install-from-URL for ALL users (safety net)
+		// Disable install-from-URL for non-master users
 		if ($this->params->get('disable_install_url', 1)
 			&& $option === 'com_installer'
 			&& stripos($task, 'install') !== false
@@ -3443,12 +3449,6 @@ class MokoWaaS extends CMSPlugin
 			return;
 		}
 
-		// Remaining restrictions only apply to non-master users
-		if ($this->isMasterUser())
-		{
-			return;
-		}
-
 		$blocked = [];
 
 		if ($this->params->get('restrict_installer', 1))