Update to Kirby 4.7.0

kirby/src/Cms/ModelPermissions.php

@@ -15,28 +15,13 @@ use Kirby\Toolkit\A;
  */
 abstract class ModelPermissions
 {
-	protected $category;
-	protected $model;
-	protected $options;
-	protected $permissions;
-	protected $user;
+	protected string $category;
+	protected ModelWithContent $model;
+	protected array $options;
+	protected Permissions $permissions;
+	protected User $user;
 
-	/**
-	 * @param string $method
-	 * @param array $arguments
-	 * @return bool
-	 */
-	public function __call(string $method, array $arguments = []): bool
-	{
-		return $this->can($method);
-	}
-
-	/**
-	 * ModelPermissions constructor
-	 *
-	 * @param \Kirby\Cms\Model $model
-	 */
-	public function __construct(Model $model)
+	public function __construct(ModelWithContent $model)
 	{
 		$this->model       = $model;
 		$this->options     = $model->blueprint()->options();
@@ -44,10 +29,14 @@ abstract class ModelPermissions
 		$this->permissions = $this->user->role()->permissions();
 	}
 
+	public function __call(string $method, array $arguments = []): bool
+	{
+		return $this->can($method);
+	}
+
 	/**
 	 * Improved `var_dump` output
-	 *
-	 * @return array
+	 * @codeCoverageIgnore
 	 */
 	public function __debugInfo(): array
 	{
@@ -55,18 +44,27 @@ abstract class ModelPermissions
 	}
 
 	/**
-	 * @param string $action
-	 * @return bool
+	 * Returns whether the current user is allowed to do
+	 * a certain action on the model
+	 *
+	 * @param bool $default Will be returned if $action does not exist
 	 */
-	public function can(string $action): bool
-	{
+	public function can(
+		string $action,
+		bool $default = false
+	): bool {
+		$user = $this->user->id();
 		$role = $this->user->role()->id();
 
+		// users with the `nobody` role can do nothing
+		// that needs a permission check
 		if ($role === 'nobody') {
 			return false;
 		}
 
-		// check for a custom overall can method
+		// check for a custom `can` method
+		// which would take priority over any other
+		// role-based permission rules
 		if (
 			method_exists($this, 'can' . $action) === true &&
 			$this->{'can' . $action}() === false
@@ -74,6 +72,11 @@ abstract class ModelPermissions
 			return false;
 		}
 
+		// the almighty `kirby` user can do anything
+		if ($user === 'kirby' && $role === 'admin') {
+			return true;
+		}
+
 		// evaluate the blueprint options block
 		if (isset($this->options[$action]) === true) {
 			$options = $this->options[$action];
@@ -90,25 +93,32 @@ abstract class ModelPermissions
 				is_array($options) === true &&
 				A::isAssociative($options) === true
 			) {
-				return $options[$role] ?? $options['*'] ?? false;
+				if (isset($options[$role]) === true) {
+					return $options[$role];
+				}
+
+				if (isset($options['*']) === true) {
+					return $options['*'];
+				}
 			}
 		}
 
-		return $this->permissions->for($this->category, $action);
+		return $this->permissions->for($this->category, $action, $default);
 	}
 
 	/**
-	 * @param string $action
-	 * @return bool
+	 * Returns whether the current user is not allowed to do
+	 * a certain action on the model
+	 *
+	 * @param bool $default Will be returned if $action does not exist
 	 */
-	public function cannot(string $action): bool
-	{
-		return $this->can($action) === false;
+	public function cannot(
+		string $action,
+		bool $default = true
+	): bool {
+		return $this->can($action, !$default) === false;
 	}
 
-	/**
-	 * @return array
-	 */
 	public function toArray(): array
 	{
 		$array = [];