opers: Enforce oper class permissions

irc/client.go

 	return client.username != "" && client.username != "*"
 }
 
+// HasCapabs returns true if client has the given (role) capabilities.
+func (client *Client) HasCapabs(capabs ...string) bool {
+	if client.class == nil {
+		return false
+	}
+
+	for _, capab := range capabs {
+		if !client.class.Capabilities[capab] {
+			return false
+		}
+	}
+
+	return true
+}
+
 // <mode>
 func (c *Client) ModeString() (str string) {
 	str = "+"

irc/commands.go

 	leaveClientActive bool // if true, leaves the client active time alone. reversed because we can't default a struct element to True
 	leaveClientIdle   bool
 	minParams         int
+	capabs            []string
 }
 
 // Run runs this command with the given client/message.
 		client.Send(nil, server.name, ERR_NOPRIVILEGES, client.nick, "Permission Denied - You're not an IRC operator")
 		return false
 	}
+	if len(cmd.capabs) > 0 && !client.HasCapabs(cmd.capabs...) {
+		client.Send(nil, server.name, ERR_NOPRIVILEGES, client.nick, "Permission Denied")
+		return false
+	}
 	if len(msg.Params) < cmd.minParams {
 		client.Send(nil, server.name, ERR_NEEDMOREPARAMS, client.nick, msg.Command, "Not enough parameters")
 		return false
 		handler:   killHandler,
 		minParams: 1,
 		oper:      true,
+		capabs:    []string{"oper:local_kill"}, //TODO(dan): when we have S2S, this will be checked in the command handler itself
 	},
 	"LIST": {
 		handler:   listHandler,
 		handler:   rehashHandler,
 		minParams: 0,
 		oper:      true,
+		capabs:    []string{"oper:rehash"},
 	},
 	"TIME": {
 		handler:   timeHandler,