Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Fixes the authorization for certain endpoints on the UsersController #4994
The UsersController is responsible for editing users in the back office. We authorize access to all actions on this controller based on section access so if users don't have access to the users section, none of these actions will be authorized. We also go a step further with persisting users so that non-admins cannot save admins, however there are a few endpoints that will allow non-admins to view admin information and also change their avatars or disable them.
This PR fixes that authorization.
Testing - ensure that normal user editing experience continues to work, that admins can edit other admins and users and that non-admins cannot edit, modify, etc... other admins. To go a step further test that a non admin cannot navigate directly to edit an admin (i.e. go do