From d670551ab3a82f6a3c76ca2873bc7c82147c1869 Mon Sep 17 00:00:00 2001
From: Tristan Olive <tristan.olive@studiodelta.us>
Date: Mon, 11 May 2015 21:02:51 -0400
Subject: [PATCH] Restrict access to user banning functions

(DBOINCP-87)
---
 .../boinc/modules/boincuser/boincuser.module  | 44 +++++++++++--------
 1 file changed, 25 insertions(+), 19 deletions(-)

diff --git a/drupal/sites/default/boinc/modules/boincuser/boincuser.module b/drupal/sites/default/boinc/modules/boincuser/boincuser.module
index ecb6a17946..1da3845717 100644
--- a/drupal/sites/default/boinc/modules/boincuser/boincuser.module
+++ b/drupal/sites/default/boinc/modules/boincuser/boincuser.module
@@ -1223,28 +1223,34 @@ function boincuser_control($uid = NULL, $action = NULL) {
   }
   switch ($action) {
   case 'ban':
-    $penalty_period = variable_get('boinc_penalty_period', 7*24*60*60);
-    $boincuser_record = array(
-      'uid' => $uid,
-      'penalty_expiration' => time() + $penalty_period,
-    );
-    drupal_write_record('boincuser', $boincuser_record, 'uid');
-    $community_role = array_search('community member', user_roles(true));
-    if (isset($account->roles[$community_role])) {
-      unset($account->roles[$community_role]);
-      user_save($account, array('roles' => $account->roles));
+    if (user_access('assign community member role')
+    OR user_access('assign all roles')) {
+      $penalty_period = variable_get('boinc_penalty_period', 7*24*60*60);
+      $boincuser_record = array(
+        'uid' => $uid,
+        'penalty_expiration' => time() + $penalty_period,
+      );
+      drupal_write_record('boincuser', $boincuser_record, 'uid');
+      $community_role = array_search('community member', user_roles(true));
+      if (isset($account->roles[$community_role])) {
+        unset($account->roles[$community_role]);
+        user_save($account, array('roles' => $account->roles));
+      }
     }
     break;
   case 'lift-ban':
-    $boincuser_record = array(
-      'uid' => $uid,
-      'penalty_expiration' => 0,
-    );
-    drupal_write_record('boincuser', $boincuser_record, 'uid');
-    $community_role = array_search('community member', user_roles(true));
-    if (!isset($account->roles[$community_role])) {
-      $account->roles[$community_role] = 'community member';
-      user_save($account, array('roles' => $account->roles));
+    if (user_access('assign community member role')
+    OR user_access('assign all roles')) {
+      $boincuser_record = array(
+        'uid' => $uid,
+        'penalty_expiration' => 0,
+      );
+      drupal_write_record('boincuser', $boincuser_record, 'uid');
+      $community_role = array_search('community member', user_roles(true));
+      if (!isset($account->roles[$community_role])) {
+        $account->roles[$community_role] = 'community member';
+        user_save($account, array('roles' => $account->roles));
+      }
     }
     break;
   default: