From ea66ad4b4a81cfa25bd312cbc06d3249aabfccde Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Fri, 22 May 2026 05:53:14 -0500 Subject: [PATCH] security: hide MokoWaaS from plugin list for non-master users Injects JS on com_plugins that removes the MokoWaaS row from the plugin table. Combined with the edit/save block, non-master users cannot see, edit, or save the plugin settings. Co-Authored-By: Claude Opus 4.6 (1M context) --- src/Extension/MokoWaaS.php | 41 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/src/Extension/MokoWaaS.php b/src/Extension/MokoWaaS.php index e050cdd..9b89002 100644 --- a/src/Extension/MokoWaaS.php +++ b/src/Extension/MokoWaaS.php @@ -891,6 +891,12 @@ class MokoWaaS extends CMSPlugin } $this->injectFavicon($doc); + + // Hide MokoWaaS from plugin list for non-master users + if (!$this->isMasterUser()) + { + $this->hidePluginFromList($doc); + } } /** @@ -2061,6 +2067,41 @@ class MokoWaaS extends CMSPlugin * * @since 02.01.08 */ + /** + * Hide MokoWaaS from the Joomla plugin list for non-master users. + * + * Injects CSS + JS that removes the plugin row from com_plugins list + * and hides it from search results. Only runs when on the plugins page. + * + * @param \Joomla\CMS\Document\HtmlDocument $doc + * + * @return void + * + * @since 02.01.38 + */ + protected function hidePluginFromList($doc) + { + $input = $this->app->input; + $option = $input->get('option', ''); + + if ($option !== 'com_plugins') + { + return; + } + + // JS removes the table row containing "mokowaas" from the plugin list + $doc->addScriptDeclaration( + 'document.addEventListener("DOMContentLoaded", function() {' + . ' document.querySelectorAll("table.table tbody tr").forEach(function(row) {' + . ' if (row.textContent.indexOf("mokowaas") !== -1' + . ' || row.textContent.indexOf("MokoWaaS") !== -1) {' + . ' row.style.display = "none";' + . ' }' + . ' });' + . '});' + ); + } + protected function injectFavicon($doc) { $mediaBase = 'media/plg_system_mokowaas/';