From 686c42ae077a3473b6148374da4299db1c909eb4 Mon Sep 17 00:00:00 2001
From: Jake Barnby <jakeb994@gmail.com>
Date: Mon, 8 Aug 2022 22:26:07 +1200
Subject: [PATCH] Add permission allowed for user type check function

---
 .../Permissions/PermissionsProcessor.php      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/src/Appwrite/Permissions/PermissionsProcessor.php b/src/Appwrite/Permissions/PermissionsProcessor.php
index eb66129aad..c4e638111c 100644
--- a/src/Appwrite/Permissions/PermissionsProcessor.php
+++ b/src/Appwrite/Permissions/PermissionsProcessor.php
@@ -53,4 +53,31 @@ class PermissionsProcessor
         }
         return $permissions;
     }
+
+    public static function allowedForUserType(?array $permissions): bool
+    {
+        if (\is_null($permissions)) {
+            return false;
+        }
+
+        // Users can only manage their own roles, API keys and Admin users can manage any
+        $roles = Authorization::getRoles();
+
+        if (!Auth::isAppUser($roles) && !Auth::isPrivilegedUser($roles)) {
+            foreach (Database::PERMISSIONS as $type) {
+                foreach ($permissions as $permission) {
+                    if (!\str_starts_with($permission, $type)) {
+                        continue;
+                    }
+                    $matches = \explode(',', \str_replace([$type, '(', ')', ' '], '', $permission));
+                    foreach ($matches as $role) {
+                        if (!Authorization::isRole($role)) {
+                            return false;
+                        }
+                    }
+                }
+            }
+        }
+        return true;
+    }
 }