[ticket/13779] Set new auth options to the role only if matching the role type

Migrations' permission tool allows setting permissions to the role which
doesn't match the role type, e.g. m_ permissions for u_ role types and so on.
As one of side effects, this may lead to granting users moderative/admin
permissions silently.
With this patch the only new permissions matching the role type will be set.

PHPBB3-13779

phpBB/phpbb/db/migration/tool/permission.php

@@ -425,14 +425,28 @@ class permission implements \phpbb\db\migration\tool\tool_interface
 				$role_id = (int) $this->db->sql_fetchfield('auth_role_id');
 				if ($role_id)
 				{
-					$sql = 'SELECT role_name
+					$sql = 'SELECT role_name, role_type
 						FROM ' . ACL_ROLES_TABLE . '
 						WHERE role_id = ' . $role_id;
 					$this->db->sql_query($sql);
-					$role_name = $this->db->sql_fetchfield('role_name');
+					$role_data = $this->db->sql_fetchrow();
+					$role_name = $role_data['role_name'];
+					$role_type = $role_data['role_type'];
 
+					// Filter new auth options to match the role type: a_ | f_ | m_ | u_
+					// Set new auth options to the role only if options matching the role type were found
+					$auth_option = array_filter($auth_option,
+						function ($option) use ($role_type)
+						{
+							return strpos($option, $role_type) === 0;
+						}
+					);
+
+					if (sizeof($auth_option))
+					{
 						return $this->permission_set($role_name, $auth_option, 'role', $has_permission);
 					}
+				}
 
 				$sql = 'SELECT auth_option_id, auth_setting
 					FROM ' . ACL_GROUPS_TABLE . '