Deny access to user edit action for low-priv users

Previously you could open the user edit page but not successfully make changes if you didn't have permission to edit that user. Now you won't be able to view that page at all. The edit page shows that user's settings and the "identity" half of their API keys, which shouldn't be accessible. (cherry picked from commit 4193c1b)
omeka · Aug 21, 2023 · b3d8871 · b3d8871
1 parent 4482f4f
commit b3d8871
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/application/src/Controller/Admin/UserController.php b/application/src/Controller/Admin/UserController.php
@@ -139,6 +139,11 @@ public function editAction()
         $readResponse = $this->api()->read('users', $id);
         $user = $readResponse->getContent();
         $userEntity = $user->getEntity();
+
+        if (!$this->userIsAllowed($userEntity, 'update')) {
+            throw new Exception\PermissionDeniedException;
+        }
+
         $currentUser = $userEntity === $this->identity();
         $keys = $userEntity->getKeys();