From 8e2a8cb1b3bbc8de393cf96021f29ad0dde57c35 Mon Sep 17 00:00:00 2001
From: Daniel Oaks <daniel@danieloaks.net>
Date: Sun, 23 Oct 2016 11:13:08 +1000
Subject: [PATCH] opers: Enforce oper class permissions

---
 irc/client.go   | 15 +++++++++++++++
 irc/commands.go |  7 +++++++
 2 files changed, 22 insertions(+)

diff --git a/irc/client.go b/irc/client.go
index 9502bf9b..c0c535ef 100644
--- a/irc/client.go
+++ b/irc/client.go
@@ -247,6 +247,21 @@ func (client *Client) HasUsername() bool {
 	return client.username != "" && client.username != "*"
 }
 
+// HasCapabs returns true if client has the given (role) capabilities.
+func (client *Client) HasCapabs(capabs ...string) bool {
+	if client.class == nil {
+		return false
+	}
+
+	for _, capab := range capabs {
+		if !client.class.Capabilities[capab] {
+			return false
+		}
+	}
+
+	return true
+}
+
 // <mode>
 func (c *Client) ModeString() (str string) {
 	str = "+"
diff --git a/irc/commands.go b/irc/commands.go
index ff4ec668..b59b176d 100644
--- a/irc/commands.go
+++ b/irc/commands.go
@@ -15,6 +15,7 @@ type Command struct {
 	leaveClientActive bool // if true, leaves the client active time alone. reversed because we can't default a struct element to True
 	leaveClientIdle   bool
 	minParams         int
+	capabs            []string
 }
 
 // Run runs this command with the given client/message.
@@ -27,6 +28,10 @@ func (cmd *Command) Run(server *Server, client *Client, msg ircmsg.IrcMessage) b
 		client.Send(nil, server.name, ERR_NOPRIVILEGES, client.nick, "Permission Denied - You're not an IRC operator")
 		return false
 	}
+	if len(cmd.capabs) > 0 && !client.HasCapabs(cmd.capabs...) {
+		client.Send(nil, server.name, ERR_NOPRIVILEGES, client.nick, "Permission Denied")
+		return false
+	}
 	if len(msg.Params) < cmd.minParams {
 		client.Send(nil, server.name, ERR_NEEDMOREPARAMS, client.nick, msg.Command, "Not enough parameters")
 		return false
@@ -91,6 +96,7 @@ var Commands = map[string]Command{
 		handler:   killHandler,
 		minParams: 1,
 		oper:      true,
+		capabs:    []string{"oper:local_kill"}, //TODO(dan): when we have S2S, this will be checked in the command handler itself
 	},
 	"LIST": {
 		handler:   listHandler,
@@ -168,6 +174,7 @@ var Commands = map[string]Command{
 		handler:   rehashHandler,
 		minParams: 0,
 		oper:      true,
+		capabs:    []string{"oper:rehash"},
 	},
 	"TIME": {
 		handler:   timeHandler,