From 43c6dd2965f9db51b6052b8771a668ffab80e563 Mon Sep 17 00:00:00 2001
From: Quentin RIBAC <quentin.ribac@xelians.fr>
Date: Thu, 5 May 2022 09:43:58 +0200
Subject: [PATCH] FEAT #17436 TIME 0:30 remove summary query param & using
 correct checks

---
 src/app/user/controllers/UserController.php | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/app/user/controllers/UserController.php b/src/app/user/controllers/UserController.php
index 0ebcc0874c..3cae1c2259 100755
--- a/src/app/user/controllers/UserController.php
+++ b/src/app/user/controllers/UserController.php
@@ -106,9 +106,7 @@ class UserController
             return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
         }
 
-        $queryParams = $request->getQueryParams();
-        $summaryOnly = ($queryParams['mode'] ?? null) == 'summary';
-        if (!$summaryOnly && UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
+        if ($GLOBALS['id'] == $args['id'] || PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
             $user = UserController::getUserInformationsById(['id' => $args['id']]);
         } else {
             $user = UserModel::getById(['select' => ['id', 'firstname', 'lastname', 'email', 'phone', 'substitute'], 'id' => $args['id']]);
@@ -132,7 +130,7 @@ class UserController
         if (!empty($groupsIds)) {
             $groups = GroupModel::get(['select' => ['label', 'id'], 'where' => ['id in (?)'], 'data' => [$groupsIds]]);
             $user['groups'] = $groups;
-        } elseif (!$actuallyAlone && !$summaryOnly) {
+        } elseif (!$actuallyAlone) {
             return $response->withStatus(403)->withJson(['errors' => 'User out of perimeter']);
         }
 
-- 
GitLab