Clean up UserRules

src/Cms/UserPermissions.php

@@ -26,6 +26,19 @@ public function __construct(User $model)
 
 	protected function canChangeRole(): bool
 	{
+		// protect admin from role changes by non-admin
+		if (
+			$this->model->isAdmin() === true &&
+			$this->user->isAdmin() !== true
+		) {
+			return false;
+		}
+
+		// prevent demoting the last admin
+		if ($this->model->isLastAdmin() === true) {
+			return false;
+		}
+
 		return $this->model->roles()->count() > 1;
 	}
 

src/Cms/UserRules.php

@@ -101,17 +101,6 @@ public static function changePassword(
 	 */
 	public static function changeRole(User $user, string $role): bool
 	{
-		// protect admin from role changes by non-admin
-		if (
-			$user->kirby()->user()->isAdmin() === false &&
-			$user->isAdmin() === true
-		) {
-			throw new PermissionException([
-				'key'  => 'user.changeRole.permission',
-				'data' => ['name' => $user->username()]
-			]);
-		}
-
 		// prevent non-admins making a user to admin
 		if (
 			$user->kirby()->user()->isAdmin() === false &&
@@ -122,22 +111,29 @@ public static function changeRole(User $user, string $role): bool
 			]);
 		}
 
-		static::validRole($user, $role);
-
+		// prevent demoting the last admin
 		if ($role !== 'admin' && $user->isLastAdmin() === true) {
 			throw new LogicException([
 				'key'  => 'user.changeRole.lastAdmin',
 				'data' => ['name' => $user->username()]
 			]);
 		}
 
+		// check permissions
 		if ($user->permissions()->changeRole() !== true) {
 			throw new PermissionException([
 				'key'  => 'user.changeRole.permission',
 				'data' => ['name' => $user->username()]
 			]);
 		}
 
+		// prevent changing to role that is not available for user
+		if ($user->roles('change')->find($role) instanceof Role === false) {
+			throw new InvalidArgumentException([
+				'key' => 'user.role.invalid',
+			]);
+		}
+
 		return true;
 	}
 
@@ -199,19 +195,10 @@ public static function create(User $user, array $props = []): bool
 			return true;
 		}
 
-		// only admins are allowed to add admins
-		$role = $props['role'] ?? null;
-
-		if ($role === 'admin' && $currentUser?->isAdmin() === false) {
-			throw new PermissionException([
-				'key' => 'user.create.permission'
-			]);
-		}
-
 		// check user permissions (if not on install)
 		if (
 			$user->kirby()->users()->count() > 0 &&
-			$user->permissions()->create() !== true
+			$user->permissions()->can('create') !== true
 		) {
 			throw new PermissionException([
 				'key' => 'user.create.permission'
@@ -370,6 +357,7 @@ public static function validPassword(
 	 * Validates a user role
 	 *
 	 * @throws \Kirby\Exception\InvalidArgumentException If the user role does not exist
+	 * @deprecated 4.5.0
 	 */
 	public static function validRole(User $user, string $role): bool
 	{

tests/Cms/Users/UserRulesTest.php

@@ -174,7 +174,8 @@ public function testChangeRoleFromAdminByNonAdmin()
 			'user' => '[email protected]',
 			'users' => [
 				['email' => '[email protected]', 'role' => 'editor'],
-				['email' => '[email protected]', 'role' => 'admin']
+				['email' => '[email protected]', 'role' => 'admin'],
+				['email' => '[email protected]', 'role' => 'admin']
 			]
 		]);
 		$kirby->impersonate('[email protected]');