From a661045fbbd240588b20c99c6e1f200871face76 Mon Sep 17 00:00:00 2001
From: Luis Cruz <luis.cruz@tecnico.pt>
Date: Thu, 12 Sep 2024 16:58:32 +0100
Subject: [PATCH] Only allow managers

---
 .../main/java/org/fenixedu/bennu/core/api/UserResource.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bennu-core/src/main/java/org/fenixedu/bennu/core/api/UserResource.java b/bennu-core/src/main/java/org/fenixedu/bennu/core/api/UserResource.java
index a3ca0d587..cdc1553d6 100644
--- a/bennu-core/src/main/java/org/fenixedu/bennu/core/api/UserResource.java
+++ b/bennu-core/src/main/java/org/fenixedu/bennu/core/api/UserResource.java
@@ -40,9 +40,10 @@ public class UserResource extends BennuRestResource {
     public JsonElement findUser(@QueryParam("query") String query,
             @QueryParam("includeInactive") @DefaultValue("false") Boolean includeInactive,
             @QueryParam("maxHits") @DefaultValue("20") Integer maxHits) {
-        if (query == null || Authenticate.getUser() == null) {
+        if (query == null) {
             throw new WebApplicationException(Status.BAD_REQUEST);
         }
+        accessControl(Group.managers());
         Stream<User> results =
                 Stream.concat(Stream.of(User.findByUsername(query)),
                         UserProfile.searchByName(query, Integer.MAX_VALUE).map(UserProfile::getUser)).filter(Objects::nonNull)