webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-08-06 12:02:45 +03:00
Code Activity

User form: Always show external auth field, update access control

Browse Source 
Updated old user management routes to only be accessible with permission
to manage users, so also removed old content controls checking for that
permission.
This commit is contained in:
Dan Brown
2023-10-19 10:20:04 +01:00
parent e4ea73ee25
commit cf72e48d2a
4 changed files with 27 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/Users/Controllers/UserController.php
View File

@@ -103,8 +103,7 @@ class UserController extends Controller
*/
public function edit(int $id, SocialAuthService $socialAuthService)
{
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$this->checkPermission('users-manage');
$user = $this->userRepo->getById($id);
$user->load(['apiTokens', 'mfaValues']);
@@ -134,8 +133,7 @@ class UserController extends Controller
public function update(Request $request, int $id)
{
$this->preventAccessInDemoMode();
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$this->checkPermission('users-manage');
$validated = $this->validate($request, [
'name' => ['min:2', 'max:100'],
@@ -150,7 +148,7 @@ class UserController extends Controller
]);
$user = $this->userRepo->getById($id);
$this->userRepo->update($user, $validated, userCan('users-manage'));
$this->userRepo->update($user, $validated, true);
// Save profile image if in request
if ($request->hasFile('profile_image')) {
@@ -168,9 +166,7 @@ class UserController extends Controller
$user->save();
}
$redirectUrl = userCan('users-manage') ? '/settings/users' : "/settings/users/{$user->id}";
return redirect($redirectUrl);
return redirect('/settings/users');
}
/**
@@ -178,8 +174,7 @@ class UserController extends Controller
*/
public function delete(int $id)
{
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$this->checkPermission('users-manage');
$user = $this->userRepo->getById($id);
$this->setPageTitle(trans('settings.users_delete_named', ['userName' => $user->name]));
@@ -195,8 +190,7 @@ class UserController extends Controller
public function destroy(Request $request, int $id)
{
$this->preventAccessInDemoMode();
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$this->checkPermission('users-manage');
$user = $this->userRepo->getById($id);
$newOwnerId = intval($request->get('new_owner_id')) ?: null;