From 5c7b5fab5a90a02c7c21d22dee481551c283564d Mon Sep 17 00:00:00 2001
From: "florian.azizian" <florian.azizian@maarch.org>
Date: Mon, 31 May 2021 17:04:00 +0200
Subject: [PATCH] FIX #17109 TIME 1 change privilege control for user route

---
 src/app/user/controllers/UserController.php | 26 +++++++++++----------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/app/user/controllers/UserController.php b/src/app/user/controllers/UserController.php
index 1c6f1c70ff..cc30f916c4 100755
--- a/src/app/user/controllers/UserController.php
+++ b/src/app/user/controllers/UserController.php
@@ -79,26 +79,28 @@ class UserController
 
     public function getById(Request $request, Response $response, array $args)
     {
-        if ($GLOBALS['id'] != $args['id'] && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
-            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
-        }
-
         if (!Validator::intVal()->notEmpty()->validate($args['id'])) {
             return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
         }
 
-        $user = UserController::getUserInformationsById(['id' => $args['id']]);
+        if ($GLOBALS['id'] == $args['id'] || PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
+            $user = UserController::getUserInformationsById(['id' => $args['id']]);
+        } else {
+            $user = UserModel::getById(['select' => ['id', 'firstname', 'lastname', 'email', 'phone'], 'id' => $args['id']]);
+        }
+        
         if (empty($user)) {
             return $response->withStatus(400)->withJson(['errors' => 'User does not exist']);
         }
 
-        $user['groups'] = [];
-
-        $userGroups = UserGroupModel::get(['select' => ['group_id'], 'where' => ['user_id = ?'], 'data' => [$args['id']]]);
-        $groupsIds  = array_column($userGroups, 'group_id');
-        if (!empty($groupsIds)) {
-            $groups = GroupModel::get(['select' => ['label'], 'where' => ['id in (?)'], 'data' => [$groupsIds]]);
-            $user['groups'] = $groups;
+        if ($GLOBALS['id'] == $args['id'] || PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
+            $user['groups'] = [];
+            $userGroups = UserGroupModel::get(['select' => ['group_id'], 'where' => ['user_id = ?'], 'data' => [$args['id']]]);
+            $groupsIds  = array_column($userGroups, 'group_id');
+            if (!empty($groupsIds)) {
+                $groups = GroupModel::get(['select' => ['label'], 'where' => ['id in (?)'], 'data' => [$groupsIds]]);
+                $user['groups'] = $groups;
+            }
         }
 
         HistoryController::add([
-- 
GitLab