Deny access to user edit action for low-priv users

Previously you could open the user edit page but not successfully make changes if you didn't have permission to edit that user. Now you won't be able to view that page at all. The edit page shows that user's settings and the "identity" half of their API keys, which shouldn't be accessible.
omeka · Aug 17, 2023 · 4193c1b · 4193c1b
1 parent ba42d27
commit 4193c1b
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/application/src/Controller/Admin/UserController.php b/application/src/Controller/Admin/UserController.php
@@ -139,6 +139,11 @@ public function editAction()
         $readResponse = $this->api()->read('users', $id);
         $user = $readResponse->getContent();
         $userEntity = $user->getEntity();
+
+        if (!$this->userIsAllowed($userEntity, 'update')) {
+            throw new Exception\PermissionDeniedException;
+        }
+
         $currentUser = $userEntity === $this->identity();
         $keys = $userEntity->getKeys();