mirror of
https://github.com/BookStackApp/BookStack.git
synced 2025-08-06 12:02:45 +03:00
User form: Always show external auth field, update access control
Updated old user management routes to only be accessible with permission to manage users, so also removed old content controls checking for that permission.
This commit is contained in:
@@ -103,8 +103,7 @@ class UserController extends Controller
|
||||
*/
|
||||
public function edit(int $id, SocialAuthService $socialAuthService)
|
||||
{
|
||||
$this->preventGuestAccess();
|
||||
$this->checkPermissionOrCurrentUser('users-manage', $id);
|
||||
$this->checkPermission('users-manage');
|
||||
|
||||
$user = $this->userRepo->getById($id);
|
||||
$user->load(['apiTokens', 'mfaValues']);
|
||||
@@ -134,8 +133,7 @@ class UserController extends Controller
|
||||
public function update(Request $request, int $id)
|
||||
{
|
||||
$this->preventAccessInDemoMode();
|
||||
$this->preventGuestAccess();
|
||||
$this->checkPermissionOrCurrentUser('users-manage', $id);
|
||||
$this->checkPermission('users-manage');
|
||||
|
||||
$validated = $this->validate($request, [
|
||||
'name' => ['min:2', 'max:100'],
|
||||
@@ -150,7 +148,7 @@ class UserController extends Controller
|
||||
]);
|
||||
|
||||
$user = $this->userRepo->getById($id);
|
||||
$this->userRepo->update($user, $validated, userCan('users-manage'));
|
||||
$this->userRepo->update($user, $validated, true);
|
||||
|
||||
// Save profile image if in request
|
||||
if ($request->hasFile('profile_image')) {
|
||||
@@ -168,9 +166,7 @@ class UserController extends Controller
|
||||
$user->save();
|
||||
}
|
||||
|
||||
$redirectUrl = userCan('users-manage') ? '/settings/users' : "/settings/users/{$user->id}";
|
||||
|
||||
return redirect($redirectUrl);
|
||||
return redirect('/settings/users');
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -178,8 +174,7 @@ class UserController extends Controller
|
||||
*/
|
||||
public function delete(int $id)
|
||||
{
|
||||
$this->preventGuestAccess();
|
||||
$this->checkPermissionOrCurrentUser('users-manage', $id);
|
||||
$this->checkPermission('users-manage');
|
||||
|
||||
$user = $this->userRepo->getById($id);
|
||||
$this->setPageTitle(trans('settings.users_delete_named', ['userName' => $user->name]));
|
||||
@@ -195,8 +190,7 @@ class UserController extends Controller
|
||||
public function destroy(Request $request, int $id)
|
||||
{
|
||||
$this->preventAccessInDemoMode();
|
||||
$this->preventGuestAccess();
|
||||
$this->checkPermissionOrCurrentUser('users-manage', $id);
|
||||
$this->checkPermission('users-manage');
|
||||
|
||||
$user = $this->userRepo->getById($id);
|
||||
$newOwnerId = intval($request->get('new_owner_id')) ?: null;
|
||||
|
Reference in New Issue
Block a user