2026-05-26 01:58:39 +00:00
8 changed files with 42 additions and 15 deletions
@@ -35,6 +35,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ### Added
 - Alias offline bypass: aliases with offline=No override Joomla's global offline setting, allowing access via alias domain while main site is down
+- Block non-master users from viewing or editing MokoWaaS plugin settings
+- Master user bypasses ALL tenant restrictions (install from URL, global config, sysinfo, installer, templates)

 ### Fixed
 - Install API endpoint: extract ZIP to temp directory before passing to Joomla Installer (was passing ZIP path directly)
@@ -9,7 +9,7 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS
 REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.05.01
+ VERSION: 02.05.04
 PATH: /README.md
 BRIEF: MokoWaaS platform plugin for Joomla
 -->
@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>Minimal API-only component for MokoWaaS. Provides REST endpoints for site health, cache, updates, and backups.</description>
 	<namespace path="api/src">Moko\Component\MokoWaaS\Api</namespace>
 	<administration>
@@ -1025,6 +1025,31 @@ class MokoWaaS extends CMSPlugin
 				$this->app->redirect('index.php?option=com_plugins');
 			}
 		}
+
+		// Block non-master from viewing or editing MokoWaaS plugin settings
+		if ($option === 'com_plugins')
+		{
+			$view       = $this->app->input->get('view', '');
+			$layout     = $this->app->input->get('layout', '');
+			$extensionId = (int) $this->app->input->get('extension_id', 0);
+
+			if (($view === 'plugin' || $layout === 'edit') && $extensionId > 0)
+			{
+				$db    = Factory::getDbo();
+				$query = $db->getQuery(true)
+					->select('COUNT(*)')
+					->from($db->quoteName('#__extensions'))
+					->where($db->quoteName('extension_id') . ' = ' . $extensionId)
+					->where($db->quoteName('element') . ' = ' . $db->quote('mokowaas'))
+					->where($db->quoteName('type') . ' = ' . $db->quote('plugin'));
+
+				if ((int) $db->setQuery($query)->loadResult() > 0)
+				{
+					$this->app->enqueueMessage('MokoWaaS settings are restricted to the master user.', 'warning');
+					$this->app->redirect('index.php?option=com_plugins');
+				}
+			}
+		}
 	}

 	/**
@@ -3402,12 +3427,18 @@ class MokoWaaS extends CMSPlugin
 	 */
 	protected function enforceAdminRestrictions()
 	{
+		// Master user bypasses ALL restrictions
+		if ($this->isMasterUser())
+		{
+			return;
+		}
+
 		$input  = $this->app->input;
 		$option = $input->get('option', '');
 		$view   = $input->get('view', '');
 		$task   = $input->get('task', '');

-		// Disable install-from-URL for ALL users (safety net)
+		// Disable install-from-URL for non-master users
 		if ($this->params->get('disable_install_url', 1)
 			&& $option === 'com_installer'
 			&& stripos($task, 'install') !== false
@@ -3418,12 +3449,6 @@ class MokoWaaS extends CMSPlugin
 			return;
 		}

-		// Remaining restrictions only apply to non-master users
-		if ($this->isMasterUser())
-		{
-			return;
-		}
-
 		$blocked = [];

 		if ($this->params->get('restrict_installer', 1))
@@ -30,7 +30,7 @@
 	<license>GNU General Public License version 3 or later; see LICENSE.md</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.</description>
 	<namespace path=".">Moko\Plugin\System\MokoWaaS</namespace>
 	<scriptfile>script.php</scriptfile>
@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<description>Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoWaaS</namespace>
 	<files>
@@ -2,7 +2,7 @@
 <extension type="package" method="upgrade">
 	<name>MokoWaaS</name>
 	<packagename>mokowaas</packagename>
-	<version>02.05.00</version>
+	<version>02.05.02</version>
 	<creationDate>2026-05-23</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -10,13 +10,13 @@
    <description>MokoWaaS development build.</description>
    <element>pkg_mokowaas</element>
    <type>package</type>
-    <version>02.05.01</version>
+    <version>02.05.04</version>
    <creationDate>2026-05-26</creationDate>
    <infourl title='MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/development</infourl>
    <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.05.01-dev.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.05.04-dev.zip</downloadurl>
    </downloads>
-    <sha256>e336a36a71cf9c42f8bf85cb3c4e250f68019cea581145ce3394f77c22dca79b</sha256>
+    <sha256>104f27fc07783d65f050da3e28be4870ff4f566aff1bb01a446441b0dd8c55bb</sha256>
    <tags><tag>development</tag></tags>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>