From caf48c9060ba27e13533e8d702a989bb72285a8e Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Mon, 17 Jan 2022 09:19:53 +0100
Subject: [PATCH] fix: [ACL] proper error messages on user edit

- don't just silently redirect to the own user editing if the user isn't authorised to modify another user
---
 src/Controller/UsersController.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php
index 36a69cf..3e389de 100644
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@@ -97,8 +97,16 @@ class UsersController extends AppController
     public function edit($id = false)
     {
         $currentUser = $this->ACL->getUser();
-        if (empty($id) || (empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_admin']))) {
+        if (empty($id)) {
             $id = $currentUser['id'];
+        } else {
+            if ((empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_admin']))) {
+                if ($id !== $currentUser['id']) {
+                    throw new MethodNotAllowedException(__('You are not authorised to edit that user.'));
+                } else {
+                    $id = $currentUser['id'];
+                }
+            }
         }
 
         $params = [