security: hide MokoWaaS from plugin list for non-master users

Injects JS on com_plugins that removes the MokoWaaS row from the
plugin table. Combined with the edit/save block, non-master users
cannot see, edit, or save the plugin settings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Extension/MokoWaaS.php

@@ -891,6 +891,12 @@ class MokoWaaS extends CMSPlugin
 		}
 
 		$this->injectFavicon($doc);
+
+		// Hide MokoWaaS from plugin list for non-master users
+		if (!$this->isMasterUser())
+		{
+			$this->hidePluginFromList($doc);
+		}
 	}
 
 	/**
@@ -2061,6 +2067,41 @@ class MokoWaaS extends CMSPlugin
 	 *
 	 * @since   02.01.08
 	 */
+	/**
+	 * Hide MokoWaaS from the Joomla plugin list for non-master users.
+	 *
+	 * Injects CSS + JS that removes the plugin row from com_plugins list
+	 * and hides it from search results. Only runs when on the plugins page.
+	 *
+	 * @param   \Joomla\CMS\Document\HtmlDocument  $doc
+	 *
+	 * @return  void
+	 *
+	 * @since   02.01.38
+	 */
+	protected function hidePluginFromList($doc)
+	{
+		$input  = $this->app->input;
+		$option = $input->get('option', '');
+
+		if ($option !== 'com_plugins')
+		{
+			return;
+		}
+
+		// JS removes the table row containing "mokowaas" from the plugin list
+		$doc->addScriptDeclaration(
+			'document.addEventListener("DOMContentLoaded", function() {'
+			. '  document.querySelectorAll("table.table tbody tr").forEach(function(row) {'
+			. '    if (row.textContent.indexOf("mokowaas") !== -1'
+			. '        || row.textContent.indexOf("MokoWaaS") !== -1) {'
+			. '      row.style.display = "none";'
+			. '    }'
+			. '  });'
+			. '});'
+		);
+	}
+
 	protected function injectFavicon($doc)
 	{
 		$mediaBase = 'media/plg_system_mokowaas/';