Fixed #17716

Author: brandonkelly

CHANGELOG.md

@@ -2,8 +2,10 @@
 
 ## Unreleased
 
+- Added `craft\services\UserPermissions::validatePermission()`.
 - Fixed an error that occurred when saving an entry with a Lightswitch field. ([#17721](https://github.com/craftcms/cms/issues/17721))
 - Fixed a bug where GraphiQL’s query input had a 550px max height. ([#17723](https://github.com/craftcms/cms/issues/17723))
+- Fixed an authorization error that occurred when non-admin users attempted to modify content on multi-site installs with SEOmatic installed. ([#17716](https://github.com/craftcms/cms/issues/17716))
 
 ## 5.8.13.1 - 2025-08-06
 

src/services/UserPermissions.php

@@ -67,7 +67,7 @@ class UserPermissions extends Component
 
     /**
      * @var string[]
-     * @see filterInvalidPermissions()
+     * @see allPermissionNames()
      */
     private array|null $_allPermissionNames = null;
 
@@ -103,25 +103,25 @@ class UserPermissions extends Component
     public function getAllPermissions(): array
     {
         if (!isset($this->_allPermissions)) {
-            $permissions = [];
+            $this->_allPermissions = [];
 
-            $this->_generalPermissions($permissions);
-            $this->_userPermissions($permissions);
-            $this->_sitePermissions($permissions);
-            $this->_entryPermissions($permissions);
-            $this->_globalSetPermissions($permissions);
-            $this->_categoryPermissions($permissions);
-            $this->_volumePermissions($permissions);
-            $this->_utilityPermissions($permissions);
+            $this->_generalPermissions($this->_allPermissions);
+            $this->_userPermissions($this->_allPermissions);
+            $this->_sitePermissions($this->_allPermissions);
+            $this->_entryPermissions($this->_allPermissions);
+            $this->_globalSetPermissions($this->_allPermissions);
+            $this->_categoryPermissions($this->_allPermissions);
+            $this->_volumePermissions($this->_allPermissions);
+            $this->_utilityPermissions($this->_allPermissions);
 
             // Fire a 'registerPermissions' event
             if ($this->hasEventHandlers(self::EVENT_REGISTER_PERMISSIONS)) {
-                $event = new RegisterUserPermissionsEvent(['permissions' => $permissions]);
+                $event = new RegisterUserPermissionsEvent([
+                    'permissions' => $this->_allPermissions,
+                ]);
                 $this->trigger(self::EVENT_REGISTER_PERMISSIONS, $event);
-                $permissions = $event->permissions;
+                $this->_allPermissions = $event->permissions;
             }
-
-            $this->_allPermissions = $permissions;
         }
 
         return $this->_allPermissions;
@@ -167,14 +167,10 @@ public function getAssignablePermissions(?User $user = null): array
     public function getPermissionsByGroupId(int $groupId): array
     {
         if (!isset($this->_permissionsByGroupId[$groupId])) {
-            /** @var string[] $groupPermissions */
-            $groupPermissions = $this->_createUserPermissionsQuery()
+            $this->_permissionsByGroupId[$groupId] = $this->_createUserPermissionsQuery()
                 ->innerJoin(['p_g' => Table::USERPERMISSIONS_USERGROUPS], '[[p_g.permissionId]] = [[p.id]]')
                 ->where(['p_g.groupId' => $groupId])
                 ->column();
-
-            // filter out any invalid permissions
-            $this->_permissionsByGroupId[$groupId] = $this->filterInvalidPermissions($groupPermissions);
         }
 
         return $this->_permissionsByGroupId[$groupId];
@@ -193,14 +189,11 @@ public function getGroupPermissionsByUserId(int $userId): array
             return $this->getPermissionsByGroupId($group->id);
         }
 
-        $permissions = $this->_createUserPermissionsQuery()
+        return $this->_createUserPermissionsQuery()
             ->innerJoin(['p_g' => Table::USERPERMISSIONS_USERGROUPS], '[[p_g.permissionId]] = [[p.id]]')
             ->innerJoin(['g_u' => Table::USERGROUPS_USERS], '[[g_u.groupId]] = [[p_g.groupId]]')
             ->where(['g_u.userId' => $userId])
             ->column();
-
-        // filter out any invalid permissions
-        return $this->filterInvalidPermissions($permissions);
     }
 
     /**
@@ -272,9 +265,6 @@ public function getPermissionsByUserId(int $userId): array
                     ->innerJoin(['p_u' => Table::USERPERMISSIONS_USERS], '[[p_u.permissionId]] = [[p.id]]')
                     ->where(['p_u.userId' => $userId])
                     ->column();
-
-                // filter out any invalid permissions
-                $userPermissions = $this->filterInvalidPermissions($userPermissions);
             } else {
                 $userPermissions = [];
             }
@@ -285,7 +275,12 @@ public function getPermissionsByUserId(int $userId): array
         return $this->_permissionsByUserId[$userId];
     }
 
-    private function filterInvalidPermissions(array $permissions): array
+    /**
+     * @param string $permission
+     * @return bool
+     * @since 5.8.13.2
+     */
+    public function validatePermission(string $permission): bool
     {
         if (!isset($this->_allPermissionNames)) {
             $this->_allPermissionNames = [];
@@ -294,7 +289,7 @@ private function filterInvalidPermissions(array $permissions): array
             }
         }
 
-        return array_values(array_filter($permissions, fn($permission) => isset($this->_allPermissionNames[strtolower($permission)])));
+        return isset($this->_allPermissionNames[strtolower($permission)]);
     }
 
     private function collectPermissionNames(array &$permissions): void

src/services/Users.php

@@ -1553,7 +1553,7 @@ public function canImpersonate(User $impersonator, User $impersonatee): bool
         $impersonateePermissions = $permissionsService->getPermissionsByUserId($impersonatee->id);
 
         foreach ($impersonateePermissions as $permission) {
-            if (!isset($impersonatorPermissions[$permission])) {
+            if (!isset($impersonatorPermissions[$permission]) && $permissionsService->validatePermission($permission)) {
                 return false;
             }
         }