Skip to content


Browse files Browse the repository at this point in the history
Deny access to user edit action for low-priv users
Previously you could open the user edit page but not successfully make
changes if you didn't have permission to edit that user. Now you won't
be able to view that page at all.

The edit page shows that user's settings and the "identity" half of
their API keys, which shouldn't be accessible.

(cherry picked from commit 4193c1b)
  • Loading branch information
zerocrates committed Aug 21, 2023
1 parent 4482f4f commit b3d8871
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions application/src/Controller/Admin/UserController.php
Expand Up @@ -139,6 +139,11 @@ public function editAction()
$readResponse = $this->api()->read('users', $id);
$user = $readResponse->getContent();
$userEntity = $user->getEntity();

if (!$this->userIsAllowed($userEntity, 'update')) {
throw new Exception\PermissionDeniedException;

$currentUser = $userEntity === $this->identity();
$keys = $userEntity->getKeys();

Expand Down

0 comments on commit b3d8871

Please sign in to comment.