From a6b28bd57bd9c1d75e231dff552b2913dbf5ab8f Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Mon, 28 Sep 2009 13:15:21 +0000
Subject: [PATCH] Prevented switching off access to security roles editor for
 current user role.

---
 admin/security_roles.php | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/admin/security_roles.php b/admin/security_roles.php
index a6792f86..5617eb79 100644
--- a/admin/security_roles.php
+++ b/admin/security_roles.php
@@ -48,7 +48,17 @@ if (get_post('addupdate'))
       	display_error( _("Role name cannot be empty."));
 		set_focus('name');
    	}
-	
+		// prevent accidental editor lockup by removing SA_SECROLES
+	if (get_post('role') == $_SESSION['wa_current_user']->access) {
+		if (!isset($_POST['Area'.$security_areas['SA_SECROLES'][0]])
+			|| !isset($_POST['Section'.SS_SETUP])) {
+			display_error(_("Access level edition in Company setup section have to be enabled for your account."));
+	      	$input_error = 1;
+	      	set_focus(!isset($_POST['Section'.SS_SETUP]) 
+	      		? 'Section'.SS_SETUP : 'Area'.$security_areas['SA_SECROLES'][0]);
+		}
+	}
+
 	if ($input_error == 0)
 	{
 		$sections = array();
@@ -59,6 +69,7 @@ if (get_post('addupdate'))
 			if (substr($p,0,7) == 'Section')
 				$sections[] = substr($p, 7);
 		}
+		
 		sort($areas);
 		sort($sections);
      	if ($new_role) 
@@ -166,6 +177,10 @@ end_table(1);
 	$m = 0;
 	asort($security_areas); // in the case installed external modules has added some lines
 	foreach($security_areas as $area =>$parms ) {
+		// system setup areas are accessable only for site admins i.e. 
+		// admins of first registered company
+		if (user_company() && (($parms[0]&~0xff) == SS_SADMIN)) continue;
+
 		if (($parms[0]&~0xff) != $m)
 		{ // features set selection
 			$m = $parms[0] & ~0xff;
-- 
2.30.2