From 5bba1620b82746045051daaf5472688e39d751ea Mon Sep 17 00:00:00 2001
From: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
Date: Sun, 24 Dec 2023 14:39:32 -0500
Subject: [PATCH 1/5] UTCT-46: Supereditor role and Anonymous (SAML) users.

Signed-off-by: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
---
 user/plugins/auth-mgr-plus/plugin.php | 32 ++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

diff --git a/user/plugins/auth-mgr-plus/plugin.php b/user/plugins/auth-mgr-plus/plugin.php
index 38e632c..cf26f56 100644
--- a/user/plugins/auth-mgr-plus/plugin.php
+++ b/user/plugins/auth-mgr-plus/plugin.php
@@ -15,6 +15,7 @@
 
 class ampRoles {
     const Administrator = 'Administrator';
+    const Supereditor   = 'Supereditor';
     const Editor        = 'Editor';
     const Contributor   = 'Contributor';
 }
@@ -241,8 +242,7 @@ function amp_require_capability( $capability ) {
             $errorpage = file_get_contents('user/plugins/auth-mgr-plus/403-error.html');
             yourls_status_header( 403 );
             echo $errorpage;
-            die();
-        }
+            die();        }
         // Otherwise, render errors in admin interface
         yourls_redirect( yourls_admin_url( '?access=denied' ), 302 );
         die();
@@ -276,8 +276,8 @@ function amp_have_capability( $capability ) {
                 if (amp_user_has_role($user, $rolename))
                     $user_caps = array_merge($user_caps, $rolecaps);
         }
-                elseif ( isset( $amp_default_role )  && in_array ($amp_default_role, array_keys( $amp_role_capabilities ) ) )
-                    $user_caps = $amp_role_capabilities [ $amp_default_role ];
+        elseif ( isset( $amp_default_role )  && in_array ($amp_default_role, array_keys( $amp_role_capabilities ) ) )
+            $user_caps = $amp_role_capabilities [ $amp_default_role ];
 
         $user_caps = array_unique( $user_caps );
         // Is the requested capability in this list?
@@ -427,7 +427,15 @@ function amp_env_check() {
     global $amp_allowed_plugin_pages;
 
     if ( !isset( $amp_anon_capabilities) ) {
-        $amp_anon_capabilities = array();
+        $amp_anon_capabilities = array(
+            ampCap::ShowAdmin,
+            ampCap::AddURL,
+            ampCap::EditURL,
+            ampCap::DeleteURL,
+            ampCap::ShareURL,
+            ampCap::APIu,
+            ampCap::ViewStats,
+        );
     }
 
     if ( !isset( $amp_role_capabilities) ) {
@@ -447,6 +455,19 @@ function amp_env_check() {
                 ampCap::ViewStats,
                 ampCap::ViewAll,
             ),
+            ampRoles::Supereditor => array(
+                ampCap::ShowAdmin,
+                ampCap::AddURL,
+                ampCap::EditURL,
+                ampCap::DeleteURL,
+                ampCap::ShareURL,
+                ampCap::Traceless,
+                ampCap::ManageAnonURL,
+                ampCap::ManageUsrsURL,
+                ampCap::APIu,
+                ampCap::ViewStats,
+                ampCap::ViewAll,
+            ),
             ampRoles::Editor => array(
                 ampCap::ShowAdmin,
                 ampCap::AddURL,
@@ -483,6 +504,7 @@ function amp_env_check() {
 
     if ( !isset( $amp_allowed_plugin_pages ) ) {
         $amp_allowed_plugin_pages = array(
+            'sleeky-backend'
         );
     }
 

From 136b40a05f05d0d529242960755f6d654f04b988 Mon Sep 17 00:00:00 2001
From: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
Date: Mon, 1 Jan 2024 09:59:50 -0500
Subject: [PATCH 2/5] UTCT-46: Fix a bracket and correct plugin name.

Signed-off-by: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
---
 user/plugins/auth-mgr-plus/plugin.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/user/plugins/auth-mgr-plus/plugin.php b/user/plugins/auth-mgr-plus/plugin.php
index cf26f56..2587a46 100644
--- a/user/plugins/auth-mgr-plus/plugin.php
+++ b/user/plugins/auth-mgr-plus/plugin.php
@@ -242,7 +242,8 @@ function amp_require_capability( $capability ) {
             $errorpage = file_get_contents('user/plugins/auth-mgr-plus/403-error.html');
             yourls_status_header( 403 );
             echo $errorpage;
-            die();        }
+            die();
+        }
         // Otherwise, render errors in admin interface
         yourls_redirect( yourls_admin_url( '?access=denied' ), 302 );
         die();
@@ -504,7 +505,7 @@ function amp_env_check() {
 
     if ( !isset( $amp_allowed_plugin_pages ) ) {
         $amp_allowed_plugin_pages = array(
-            'sleeky-backend'
+            'sleeky_backend'
         );
     }
 

From 2239fa713cea47f3a46fecb4ed47604f32f989bf Mon Sep 17 00:00:00 2001
From: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
Date: Mon, 1 Jan 2024 17:39:16 -0500
Subject: [PATCH 3/5] UTCT-46: Correct Sleeky backend page name.

Signed-off-by: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
---
 user/plugins/auth-mgr-plus/plugin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/user/plugins/auth-mgr-plus/plugin.php b/user/plugins/auth-mgr-plus/plugin.php
index 2587a46..1a2dac4 100644
--- a/user/plugins/auth-mgr-plus/plugin.php
+++ b/user/plugins/auth-mgr-plus/plugin.php
@@ -505,7 +505,7 @@ function amp_env_check() {
 
     if ( !isset( $amp_allowed_plugin_pages ) ) {
         $amp_allowed_plugin_pages = array(
-            'sleeky_backend'
+            'sleeky_settings'
         );
     }
 

From 853a2266a67ca033cde78f2c2078154f655faf33 Mon Sep 17 00:00:00 2001
From: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
Date: Tue, 2 Jan 2024 08:24:48 -0500
Subject: [PATCH 4/5] UTCT-46: Remove API access from SAML users.

Signed-off-by: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
---
 user/plugins/auth-mgr-plus/plugin.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/user/plugins/auth-mgr-plus/plugin.php b/user/plugins/auth-mgr-plus/plugin.php
index 1a2dac4..92faeca 100644
--- a/user/plugins/auth-mgr-plus/plugin.php
+++ b/user/plugins/auth-mgr-plus/plugin.php
@@ -434,7 +434,6 @@ function amp_env_check() {
             ampCap::EditURL,
             ampCap::DeleteURL,
             ampCap::ShareURL,
-            ampCap::APIu,
             ampCap::ViewStats,
         );
     }

From a5ca51ad5df8c08e95a2dd03915d2ff56bb8fcbf Mon Sep 17 00:00:00 2001
From: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>
Date: Tue, 2 Jan 2024 11:00:46 -0500
Subject: [PATCH 5/5] UTCT-46: Remove Sleeky config from allowed plugins.

Signed-off-by: Chris Gilligan <49878588+UTCGilligan@users.noreply.github.com>

Sleeky config is universal, so we can't allow users to choose because it impacts all.
---
 user/plugins/auth-mgr-plus/plugin.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/user/plugins/auth-mgr-plus/plugin.php b/user/plugins/auth-mgr-plus/plugin.php
index 92faeca..52f2c5b 100644
--- a/user/plugins/auth-mgr-plus/plugin.php
+++ b/user/plugins/auth-mgr-plus/plugin.php
@@ -503,9 +503,7 @@ function amp_env_check() {
     }
 
     if ( !isset( $amp_allowed_plugin_pages ) ) {
-        $amp_allowed_plugin_pages = array(
-            'sleeky_settings'
-        );
+        $amp_allowed_plugin_pages = array();
     }
 
     // convert role assignment table to lower case if it hasn't been done already