User authorize() now checks user groups before superuser, allowing deny rules to work

CHANGELOG.md

@@ -4,6 +4,8 @@
 1. [](#new)
     * Added support for image watermarks
     * Added support to disable a form, making it readonly
+2. [](#improved)
+    * User `authorize()` now checks user groups before superuser, allowing deny rules to work
 3. [](#bugfix)
     * Fixed a bug in `PermissionsReader` in PHP 7.3
     * Fixed `session_store_active` language option (#3464)

system/src/Grav/Common/Flex/Types/Users/UserObject.php

@@ -274,6 +274,7 @@ class UserObject extends FlexObject implements UserInterface, Countable
             }
         }
 
+        // Check custom application access.
         $authorizeCallable = static::$authorizeCallable;
         if ($authorizeCallable instanceof Closure) {
             $authorizeCallable->bindTo($this);
@@ -290,13 +291,14 @@ class UserObject extends FlexObject implements UserInterface, Countable
             return $authorized;
         }
 
-        // If specific rule isn't hit, check if user is super user.
-        if ($access->authorize('admin.super') === true) {
-            return true;
+        // Check group access.
+        $authorized = $this->getGroups()->authorize($action, $scope);
+        if (is_bool($authorized)) {
+            return $authorized;
         }
 
-        // Check group access.
-        return $this->getGroups()->authorize($action, $scope);
+        // If any specific rule isn't hit, check if user is a superuser.
+        return $access->authorize('admin.super') === true;
     }
 
     /**

system/src/Grav/Common/Page/Pages.php

@@ -649,7 +649,7 @@ class Pages
             $cmd = $value;
             $params = [];
         } elseif (is_array($value) && count($value) === 1 && !is_int(key($value))) {
-            // Format: @command.param: { attr1: value1, attr2: value2 }
+            // Format: @command.param: { attr1: value1, attr2: value2 }
             $cmd = (string)key($value);
             $params = (array)current($value);
         } else {