From cc709a0231ac2681cfade89c2cd9398eca3ff282 Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Mon, 25 May 2026 20:39:41 -0500 Subject: [PATCH] security: master user bypasses all tenant restrictions Moved isMasterUser() check to top of enforceAdminRestrictions() so master user is never blocked by any restriction including install from URL, global config, sysinfo, installer, and template editing. Authored-by: Moko Consulting Co-Authored-By: Claude Opus 4.6 (1M context) --- CHANGELOG.md | 1 + .../plg_system_mokowaas/Extension/MokoWaaS.php | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c9f5a2d..6816fc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Alias offline bypass: aliases with offline=No override Joomla's global offline setting, allowing access via alias domain while main site is down - Block non-master users from viewing or editing MokoWaaS plugin settings +- Master user bypasses ALL tenant restrictions (install from URL, global config, sysinfo, installer, templates) ### Fixed - Install API endpoint: extract ZIP to temp directory before passing to Joomla Installer (was passing ZIP path directly) diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php index 324594c..698bb8b 100644 --- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php +++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php @@ -3427,12 +3427,18 @@ class MokoWaaS extends CMSPlugin */ protected function enforceAdminRestrictions() { + // Master user bypasses ALL restrictions + if ($this->isMasterUser()) + { + return; + } + $input = $this->app->input; $option = $input->get('option', ''); $view = $input->get('view', ''); $task = $input->get('task', ''); - // Disable install-from-URL for ALL users (safety net) + // Disable install-from-URL for non-master users if ($this->params->get('disable_install_url', 1) && $option === 'com_installer' && stripos($task, 'install') !== false @@ -3443,12 +3449,6 @@ class MokoWaaS extends CMSPlugin return; } - // Remaining restrictions only apply to non-master users - if ($this->isMasterUser()) - { - return; - } - $blocked = []; if ($this->params->get('restrict_installer', 1))