Commit 89f7fbd2 authored by Quentin Ribac's avatar Quentin Ribac
Browse files

FEAT #17436 TIME 0:20 clean privilege check in UserController.php

parent 70716996
......@@ -108,7 +108,7 @@ class UserController
$queryParams = $request->getQueryParams();
$summaryOnly = ($queryParams['mode'] ?? null) == 'summary';
if (!$summaryOnly && ($GLOBALS['id'] == $args['id'] || PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users']))) {
if (!$summaryOnly && UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
$user = UserController::getUserInformationsById(['id' => $args['id']]);
} else {
$user = UserModel::getById(['select' => ['id', 'firstname', 'lastname', 'email', 'phone', 'substitute'], 'id' => $args['id']]);
......@@ -227,10 +227,7 @@ class UserController
public function update(Request $request, Response $response, array $args)
{
$connection = ConfigurationModel::getConnection();
if (($GLOBALS['id'] != $args['id'] || $connection != 'default') && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
if (($GLOBALS['id'] != $args['id'] || $connection != 'default') && !UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
......@@ -406,10 +403,7 @@ class UserController
public function delete(Request $request, Response $response, array $args)
{
if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users']) || $GLOBALS['id'] == $args['id']) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
if ($GLOBALS['id'] == $args['id'] || !UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
......@@ -514,10 +508,7 @@ class UserController
return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
}
if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users']) && $GLOBALS['id'] != $args['id']) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
if ($GLOBALS['id'] != $args['id'] && !UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
......@@ -664,9 +655,6 @@ class UserController
}
if ($GLOBALS['id'] != $args['id']) {
if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (!UserController::hasRightByUserId(['activeUserId' => $GLOBALS['id'], 'targetUserId' => $args['id']])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
......@@ -816,10 +804,6 @@ class UserController
public function sendAccountActivationNotification(Request $request, Response $response, array $args)
{
if (!PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'manage_users'])) {
return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
}
if (empty($args['id']) || !Validator::intVal()->validate($args['id'])) {
return $response->withStatus(400)->withJson(['errors' => 'Route id is not an integer']);
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment