From 7488225aa644749eece4579d443cecd237303cb8 Mon Sep 17 00:00:00 2001
From: "gitea-actions[bot]" <gitea-actions[bot]@mokoconsulting.tech>
Date: Tue, 26 May 2026 01:30:19 +0000
Subject: [PATCH 1/7] chore(version): pre-release bump to 02.05.02 [skip ci]

---
 README.md                                          | 2 +-
 src/packages/com_mokowaas/mokowaas.xml             | 2 +-
 src/packages/plg_system_mokowaas/mokowaas.xml      | 2 +-
 src/packages/plg_webservices_mokowaas/mokowaas.xml | 2 +-
 src/pkg_mokowaas.xml                               | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 3b6df39..3ab910b 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@
  DEFGROUP: Joomla.Plugin
  INGROUP: MokoWaaS
  REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.05.01
+ VERSION: 02.05.02
  PATH: /README.md
  BRIEF: MokoWaaS platform plugin for Joomla
 -->
diff --git a/src/packages/com_mokowaas/mokowaas.xml b/src/packages/com_mokowaas/mokowaas.xml
index c19b978..d76c267 100644
--- a/src/packages/com_mokowaas/mokowaas.xml
+++ b/src/packages/com_mokowaas/mokowaas.xml
@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>Minimal API-only component for MokoWaaS. Provides REST endpoints for site health, cache, updates, and backups.</description>
 	<namespace path="api/src">Moko\Component\MokoWaaS\Api</namespace>
 	<administration>
diff --git a/src/packages/plg_system_mokowaas/mokowaas.xml b/src/packages/plg_system_mokowaas/mokowaas.xml
index 26dbbb1..b8fdc48 100644
--- a/src/packages/plg_system_mokowaas/mokowaas.xml
+++ b/src/packages/plg_system_mokowaas/mokowaas.xml
@@ -30,7 +30,7 @@
 	<license>GNU General Public License version 3 or later; see LICENSE.md</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.</description>
 	<namespace path=".">Moko\Plugin\System\MokoWaaS</namespace>
 	<scriptfile>script.php</scriptfile>
diff --git a/src/packages/plg_webservices_mokowaas/mokowaas.xml b/src/packages/plg_webservices_mokowaas/mokowaas.xml
index f1cad69..0419ed5 100644
--- a/src/packages/plg_webservices_mokowaas/mokowaas.xml
+++ b/src/packages/plg_webservices_mokowaas/mokowaas.xml
@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoWaaS</namespace>
 	<files>
diff --git a/src/pkg_mokowaas.xml b/src/pkg_mokowaas.xml
index dfea54b..f0d8dcd 100644
--- a/src/pkg_mokowaas.xml
+++ b/src/pkg_mokowaas.xml
@@ -2,7 +2,7 @@
 <extension type="package" method="upgrade">
 	<name>MokoWaaS</name>
 	<packagename>mokowaas</packagename>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<creationDate>2026-05-23</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>

From 2674111e0b716ee4f0d6fa5274d902700ccac750 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Mon, 25 May 2026 20:37:27 -0500
Subject: [PATCH 2/7] security: block non-master users from editing MokoWaaS
 settings

Non-master users navigating to the plugin edit page are redirected
back to the plugins list with a warning message.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                                  |  1 +
 .../Extension/MokoWaaS.php                    | 25 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c157731..c9f5a2d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Alias offline bypass: aliases with offline=No override Joomla's global offline setting, allowing access via alias domain while main site is down
+- Block non-master users from viewing or editing MokoWaaS plugin settings
 
 ### Fixed
 - Install API endpoint: extract ZIP to temp directory before passing to Joomla Installer (was passing ZIP path directly)
diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index f55e36a..324594c 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -1025,6 +1025,31 @@ class MokoWaaS extends CMSPlugin
 				$this->app->redirect('index.php?option=com_plugins');
 			}
 		}
+
+		// Block non-master from viewing or editing MokoWaaS plugin settings
+		if ($option === 'com_plugins')
+		{
+			$view       = $this->app->input->get('view', '');
+			$layout     = $this->app->input->get('layout', '');
+			$extensionId = (int) $this->app->input->get('extension_id', 0);
+
+			if (($view === 'plugin' || $layout === 'edit') && $extensionId > 0)
+			{
+				$db    = Factory::getDbo();
+				$query = $db->getQuery(true)
+					->select('COUNT(*)')
+					->from($db->quoteName('#__extensions'))
+					->where($db->quoteName('extension_id') . ' = ' . $extensionId)
+					->where($db->quoteName('element') . ' = ' . $db->quote('mokowaas'))
+					->where($db->quoteName('type') . ' = ' . $db->quote('plugin'));
+
+				if ((int) $db->setQuery($query)->loadResult() > 0)
+				{
+					$this->app->enqueueMessage('MokoWaaS settings are restricted to the master user.', 'warning');
+					$this->app->redirect('index.php?option=com_plugins');
+				}
+			}
+		}
 	}
 
 	/**

From 3e28dd4fae824f256a23f03d839eb4ae2cff44b9 Mon Sep 17 00:00:00 2001
From: "gitea-actions[bot]" <gitea-actions[bot]@mokoconsulting.tech>
Date: Tue, 26 May 2026 01:38:24 +0000
Subject: [PATCH 3/7] chore(version): auto-bump patch 02.05.03 [skip ci]

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3ab910b..5851b15 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@
  DEFGROUP: Joomla.Plugin
  INGROUP: MokoWaaS
  REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.05.02
+ VERSION: 02.05.03
  PATH: /README.md
  BRIEF: MokoWaaS platform plugin for Joomla
 -->

From 03839601bbb8edd793fd68cf32fc27e3236074c2 Mon Sep 17 00:00:00 2001
From: "gitea-actions[bot]" <gitea-actions[bot]@mokoconsulting.tech>
Date: Tue, 26 May 2026 01:38:25 +0000
Subject: [PATCH 4/7] chore: update updates.xml (development: 02.05.03-dev)
 [skip ci]

---
 updates.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/updates.xml b/updates.xml
index aacf3f2..7217f58 100644
--- a/updates.xml
+++ b/updates.xml
@@ -10,13 +10,13 @@
     <description>MokoWaaS development build.</description>
     <element>pkg_mokowaas</element>
     <type>package</type>
-    <version>02.05.01</version>
+    <version>02.05.03</version>
     <creationDate>2026-05-26</creationDate>
     <infourl title='MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/development</infourl>
     <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.05.01-dev.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.05.03-dev.zip</downloadurl>
     </downloads>
-    <sha256>e336a36a71cf9c42f8bf85cb3c4e250f68019cea581145ce3394f77c22dca79b</sha256>
+    <sha256>fc9581d539b30ca75aade2bc41f95b929bae1e8e3237789536aded763afde850</sha256>
     <tags><tag>development</tag></tags>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>

From cc709a0231ac2681cfade89c2cd9398eca3ff282 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Mon, 25 May 2026 20:39:41 -0500
Subject: [PATCH 5/7] security: master user bypasses all tenant restrictions

Moved isMasterUser() check to top of enforceAdminRestrictions() so
master user is never blocked by any restriction including install
from URL, global config, sysinfo, installer, and template editing.

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                                       |  1 +
 .../plg_system_mokowaas/Extension/MokoWaaS.php     | 14 +++++++-------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c9f5a2d..6816fc7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Alias offline bypass: aliases with offline=No override Joomla's global offline setting, allowing access via alias domain while main site is down
 - Block non-master users from viewing or editing MokoWaaS plugin settings
+- Master user bypasses ALL tenant restrictions (install from URL, global config, sysinfo, installer, templates)
 
 ### Fixed
 - Install API endpoint: extract ZIP to temp directory before passing to Joomla Installer (was passing ZIP path directly)
diff --git a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
index 324594c..698bb8b 100644
--- a/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
+++ b/src/packages/plg_system_mokowaas/Extension/MokoWaaS.php
@@ -3427,12 +3427,18 @@ class MokoWaaS extends CMSPlugin
 	 */
 	protected function enforceAdminRestrictions()
 	{
+		// Master user bypasses ALL restrictions
+		if ($this->isMasterUser())
+		{
+			return;
+		}
+
 		$input  = $this->app->input;
 		$option = $input->get('option', '');
 		$view   = $input->get('view', '');
 		$task   = $input->get('task', '');
 
-		// Disable install-from-URL for ALL users (safety net)
+		// Disable install-from-URL for non-master users
 		if ($this->params->get('disable_install_url', 1)
 			&& $option === 'com_installer'
 			&& stripos($task, 'install') !== false
@@ -3443,12 +3449,6 @@ class MokoWaaS extends CMSPlugin
 			return;
 		}
 
-		// Remaining restrictions only apply to non-master users
-		if ($this->isMasterUser())
-		{
-			return;
-		}
-
 		$blocked = [];
 
 		if ($this->params->get('restrict_installer', 1))

From 11c3488438d515add82bb933e286b1b5358673fc Mon Sep 17 00:00:00 2001
From: "gitea-actions[bot]" <gitea-actions[bot]@mokoconsulting.tech>
Date: Tue, 26 May 2026 01:55:06 +0000
Subject: [PATCH 6/7] chore(version): auto-bump patch 02.05.04 [skip ci]

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5851b15..f12d937 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@
  DEFGROUP: Joomla.Plugin
  INGROUP: MokoWaaS
  REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.05.03
+ VERSION: 02.05.04
  PATH: /README.md
  BRIEF: MokoWaaS platform plugin for Joomla
 -->

From 0b8f4926139127bcee6ec2af697b7bb2c5c2cc7f Mon Sep 17 00:00:00 2001
From: "gitea-actions[bot]" <gitea-actions[bot]@mokoconsulting.tech>
Date: Tue, 26 May 2026 01:55:07 +0000
Subject: [PATCH 7/7] chore: update updates.xml (development: 02.05.04-dev)
 [skip ci]

---
 updates.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/updates.xml b/updates.xml
index 7217f58..027d37d 100644
--- a/updates.xml
+++ b/updates.xml
@@ -10,13 +10,13 @@
     <description>MokoWaaS development build.</description>
     <element>pkg_mokowaas</element>
     <type>package</type>
-    <version>02.05.03</version>
+    <version>02.05.04</version>
     <creationDate>2026-05-26</creationDate>
     <infourl title='MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/development</infourl>
     <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.05.03-dev.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.05.04-dev.zip</downloadurl>
     </downloads>
-    <sha256>fc9581d539b30ca75aade2bc41f95b929bae1e8e3237789536aded763afde850</sha256>
+    <sha256>104f27fc07783d65f050da3e28be4870ff4f566aff1bb01a446441b0dd8c55bb</sha256>
     <tags><tag>development</tag></tags>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>