feat: enforce ACLs in dashboard WAF sections and sidebar menu

- Dashboard: WAF chart and Recent WAF Blocks gated behind mokosuiteclient.security.waflog ACL - Menu: all items ACL-gated, added Snippets/Templates/Replacements/ Conditions entries, removed ticket items, super admins bypass all
2026-06-23 14:24:33 -05:00
parent abfdbbcaa2
commit 3c4fe24056
2 changed files with 26 additions and 10 deletions
@@ -25,6 +25,9 @@ $atsAvail        = $this->atsAvailable ?? null;
 $checkedOut     = $this->checkedOutItems;
 $wafBlocks      = $this->wafBlocks;
 $token          = Session::getFormToken();
+$user           = \Joomla\CMS\Factory::getApplication()->getIdentity();
+$canWafLog      = $user->authorise('mokosuiteclient.security.waflog', 'com_mokosuiteclient')
+                || $user->authorise('core.admin', 'com_mokosuiteclient');

 // Group plugins by category
 $grouped = [];
@@ -225,6 +228,7 @@ $actionLogsEnabled = Joomla\CMS\Component\ComponentHelper::isEnabled('com_action
 		<!-- Right: Charts & Information (4 cols) -->
 		<div class="col-12 col-xl-4" style="border-left:1px solid var(--gray-300, #dee2e6);padding-left:1.5rem;">

+			<?php if ($canWafLog): ?>
 			<!-- WAF Activity Chart -->
 			<div class="card mb-3">
 				<div class="card-header">
@@ -234,6 +238,7 @@ $actionLogsEnabled = Joomla\CMS\Component\ComponentHelper::isEnabled('com_action
 					<canvas id="mokosuiteclient-chart-waf" height="140"></canvas>
 				</div>
 			</div>
+			<?php endif; ?>

 			<!-- Login Activity Chart -->
 			<div class="card mb-3">
@@ -304,6 +309,7 @@ $actionLogsEnabled = Joomla\CMS\Component\ComponentHelper::isEnabled('com_action
 				<?php endif; ?>
 			</div>

+			<?php if ($canWafLog): ?>
 			<!-- WAF Blocks -->
 			<div class="card mb-3">
 				<div class="card-header d-flex justify-content-between align-items-center">
@@ -331,6 +337,7 @@ $actionLogsEnabled = Joomla\CMS\Component\ComponentHelper::isEnabled('com_action
 				</div>
 				<?php endif; ?>
 			</div>
+			<?php endif; ?>

 			<!-- Recent Logins -->
 			<div class="card mb-3">
@@ -17,17 +17,26 @@ $app           = Factory::getApplication();
 $currentOption = $app->getInput()->get('option', '');
 $currentView   = $app->getInput()->get('view', '');

-// ── Static views for com_mokosuiteclient ──────────────────────────────────
-$mokosuiteclientStaticViews = [
-	['icon' => 'icon-cogs',                      'title' => 'Dashboard',       'link' => 'index.php?option=com_mokosuiteclient'],
-	['icon' => 'icon-puzzle-piece',               'title' => 'Extensions',      'link' => 'index.php?option=com_mokosuiteclient&view=extensions'],
-	['icon' => 'fa-solid fa-file-code',           'title' => '.htaccess Maker', 'link' => 'index.php?option=com_mokosuiteclient&view=htaccess'],
-	['icon' => 'icon-lock',                       'title' => 'Privacy Guard',   'link' => 'index.php?option=com_mokosuiteclient&view=privacy'],
-	['icon' => 'icon-shield-alt',                 'title' => 'WAF Log',         'link' => 'index.php?option=com_mokosuiteclient&view=waflog'],
-	['icon' => 'icon-database',                   'title' => 'Database Tools',  'link' => 'index.php?option=com_mokosuiteclient&view=database'],
-	['icon' => 'icon-trash',                      'title' => 'Cache Cleanup',   'link' => 'index.php?option=com_mokosuiteclient&view=cleanup'],
-	['icon' => 'icon-power-off',                  'title' => 'Feature Plugins', 'link' => 'index.php?option=com_plugins&filter[folder]=system&filter[search]=mokosuiteclient'],
+// ── Static views for com_mokosuiteclient (ACL-gated) ──────────────────────
+$user = $app->getIdentity();
+$allViews = [
+	['icon' => 'icon-cogs',              'title' => 'Dashboard',       'link' => 'index.php?option=com_mokosuiteclient',                  'acl' => 'mokosuiteclient.dashboard'],
+	['icon' => 'icon-puzzle-piece',      'title' => 'Extensions',      'link' => 'index.php?option=com_mokosuiteclient&view=extensions',  'acl' => 'mokosuiteclient.extensions'],
+	['icon' => 'fa-solid fa-file-code',  'title' => '.htaccess Maker', 'link' => 'index.php?option=com_mokosuiteclient&view=htaccess',    'acl' => 'mokosuiteclient.htaccess'],
+	['icon' => 'icon-shield-alt',        'title' => 'WAF Log',         'link' => 'index.php?option=com_mokosuiteclient&view=waflog',      'acl' => 'mokosuiteclient.security.waflog'],
+	['icon' => 'icon-lock',              'title' => 'Privacy Guard',   'link' => 'index.php?option=com_mokosuiteclient&view=privacy',     'acl' => 'core.admin'],
+	['icon' => 'fa-solid fa-code',       'title' => 'Snippets',        'link' => 'index.php?option=com_mokosuiteclient&view=snippets',    'acl' => 'mokosuiteclient.snippets.manage'],
+	['icon' => 'fa-solid fa-file-lines', 'title' => 'Templates',       'link' => 'index.php?option=com_mokosuiteclient&view=templates',   'acl' => 'mokosuiteclient.templates.manage'],
+	['icon' => 'fa-solid fa-right-left', 'title' => 'Replacements',    'link' => 'index.php?option=com_mokosuiteclient&view=replacements','acl' => 'mokosuiteclient.replacements.manage'],
+	['icon' => 'fa-solid fa-shuffle',    'title' => 'Conditions',      'link' => 'index.php?option=com_mokosuiteclient&view=conditions',  'acl' => 'mokosuiteclient.conditions.manage'],
+	['icon' => 'icon-database',          'title' => 'Database Tools',  'link' => 'index.php?option=com_mokosuiteclient&view=database',    'acl' => 'core.admin'],
+	['icon' => 'icon-trash',             'title' => 'Cache Cleanup',   'link' => 'index.php?option=com_mokosuiteclient&view=cleanup',     'acl' => 'mokosuiteclient.cache'],
+	['icon' => 'icon-power-off',         'title' => 'Feature Plugins', 'link' => 'index.php?option=com_plugins&filter[folder]=system&filter[search]=mokosuiteclient', 'acl' => 'core.admin'],
 ];
+$isSuper = $user->authorise('core.admin', 'com_mokosuiteclient');
+$mokosuiteclientStaticViews = array_filter($allViews, function ($v) use ($user, $isSuper) {
+	return $isSuper || $user->authorise($v['acl'], 'com_mokosuiteclient');
+});

 // ── Auto-discover all Moko components from #__menu ──────────────────
 $mokoComponents = [];