Block reader users access to users forms

Readers users will now only be available of seeing their own edit form. Fixes #1064
graylog-labs · Jan 22, 2015 · 068a775 · 068a775
1 parent 5ec4954
commit 068a775
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/app/controllers/UsersController.java b/app/controllers/UsersController.java
@@ -107,6 +107,9 @@ public Result show(String username) {
     }
 
     public Result newUserForm() {
+        if (!Permissions.isPermitted(RestPermissions.USERS_CREATE)) {
+            return redirect(routes.StartpageController.redirect());
+        }
         BreadcrumbList bc = breadcrumbs();
         bc.addCrumb("New", routes.UsersController.newUserForm());
 
@@ -130,6 +133,9 @@ public Result newUserForm() {
     }
 
     public Result editUserForm(String username) {
+        if (!Permissions.isPermitted(RestPermissions.USERS_EDIT, username)) {
+            return redirect(routes.StartpageController.redirect());
+        }
         BreadcrumbList bc = breadcrumbs();
         bc.addCrumb("Edit " + username, routes.UsersController.editUserForm(username));