Permalink
Browse files

EZP-29820: /user/update/{id}/{version}/{language} access limitation (#…

  • Loading branch information...
ViniTou authored and glye committed Nov 20, 2018
1 parent b1e9ad8 commit ea82e136ec1ea40aca714abb79cc8e5bfece01e8
Showing with 12 additions and 1 deletion.
  1. +11 −1 bundle/Controller/UserController.php
  2. +1 −0 bundle/Resources/config/services.yml
@@ -14,6 +14,7 @@
use eZ\Publish\API\Repository\Exceptions\UnauthorizedException;
use eZ\Publish\API\Repository\LanguageService;
use eZ\Publish\API\Repository\LocationService;
use eZ\Publish\API\Repository\PermissionResolver;
use eZ\Publish\API\Repository\UserService;
use eZ\Publish\Core\Base\Exceptions\BadStateException;
use eZ\Publish\Core\Base\Exceptions\InvalidArgumentException;
@@ -33,6 +34,7 @@
use Symfony\Component\OptionsResolver\Exception\NoSuchOptionException;
use Symfony\Component\OptionsResolver\Exception\OptionDefinitionException;
use Symfony\Component\OptionsResolver\Exception\UndefinedOptionsException;
use eZ\Publish\Core\Base\Exceptions\UnauthorizedException as CoreUnauthorizedException;
class UserController extends Controller
{
@@ -51,18 +53,23 @@ class UserController extends Controller
/** @var ActionDispatcherInterface */
private $userActionDispatcher;
/** @var \eZ\Publish\API\Repository\PermissionResolver */
private $permissionResolver;
public function __construct(
ContentTypeService $contentTypeService,
UserService $userService,
LocationService $locationService,
LanguageService $languageService,
ActionDispatcherInterface $userActionDispatcher
ActionDispatcherInterface $userActionDispatcher,
PermissionResolver $permissionResolver
) {
$this->contentTypeService = $contentTypeService;
$this->userService = $userService;
$this->locationService = $locationService;
$this->languageService = $languageService;
$this->userActionDispatcher = $userActionDispatcher;
$this->permissionResolver = $permissionResolver;
}
/**
@@ -149,6 +156,9 @@ public function editAction(
Request $request
) {
$user = $this->userService->loadUser($contentId);
if (!$this->permissionResolver->canUser('content', 'edit', $user)) {
throw new CoreUnauthorizedException('content', 'edit', ['userId' => $contentId]);
}
$contentType = $this->contentTypeService->loadContentType($user->contentInfo->contentTypeId);
$userUpdate = (new UserUpdateMapper())->mapToFormData($user, $contentType, [
@@ -270,6 +270,7 @@ services:
- "@ezpublish.api.service.location"
- "@ezpublish.api.service.language"
- "@ezrepoforms.action_dispatcher.user"
- '@eZ\Publish\API\Repository\PermissionResolver'
parent: ezpublish.controller.base
ezrepoforms.controller.user_register:

0 comments on commit ea82e13

Please sign in to comment.