cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [ACL] proper error messages on user edit 

- don't just silently redirect to the own user editing if the user isn't authorised to modify another user
pull/92/head
iglocska 2022-01-17 09:19:53 +01:00
parent 87723c2100
commit caf48c9060
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/Controller/UsersController.php
View File

@ -97,8 +97,16 @@ class UsersController extends AppController
public function edit($id = false)
{
$currentUser = $this->ACL->getUser();
if (empty($id) || (empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_admin']))) {
if (empty($id)) {
$id = $currentUser['id'];
} else {
if ((empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_admin']))) {
if ($id !== $currentUser['id']) {
throw new MethodNotAllowedException(__('You are not authorised to edit that user.'));
} else {
$id = $currentUser['id'];
}
}
}
$params = [