From b0d2a22f625bc14a02618856394564c6dbdc1c55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Sat, 8 Apr 2023 01:04:10 +0200 Subject: [PATCH] Make user info page public for all logged in user --- src/Controller/UserController.php | 29 ++++++++++++++++------------- src/Security/Voter/UserVoter.php | 21 +++++++++++++++++---- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/src/Controller/UserController.php b/src/Controller/UserController.php index 6dad4159..9949b8c7 100644 --- a/src/Controller/UserController.php +++ b/src/Controller/UserController.php @@ -202,21 +202,24 @@ class UserController extends AdminPages\BaseAdminController $user = $tmp; } else { //Else we must check, if the current user is allowed to access $user - $this->denyAccessUnlessGranted('read', $user); + $this->denyAccessUnlessGranted('info', $user); } - $table = $this->dataTableFactory->createFromType( - LogDataTable::class, - [ - 'filter_elements' => $user, - 'mode' => 'element_history', - ], - ['pageLength' => 10] - ) - ->handleRequest($request); + //Only show the history table, if the user is the current user + if ($user === $this->getUser()) { + $table = $this->dataTableFactory->createFromType( + LogDataTable::class, + [ + 'filter_elements' => $user, + 'mode' => 'element_history', + ], + ['pageLength' => 10] + ) + ->handleRequest($request); - if ($table->isCallback()) { - return $table->getResponse(); + if ($table->isCallback()) { + return $table->getResponse(); + } } //Show permissions to user @@ -230,7 +233,7 @@ class UserController extends AdminPages\BaseAdminController return $this->renderForm('users/user_info.html.twig', [ 'user' => $user, 'form' => $builder->getForm(), - 'datatable' => $table, + 'datatable' => $table ?? null, ]); } } diff --git a/src/Security/Voter/UserVoter.php b/src/Security/Voter/UserVoter.php index dcd7cb20..a311e4db 100644 --- a/src/Security/Voter/UserVoter.php +++ b/src/Security/Voter/UserVoter.php @@ -38,10 +38,13 @@ class UserVoter extends ExtendedVoter protected function supports(string $attribute, $subject): bool { if (is_a($subject, User::class, true)) { - return in_array($attribute, array_merge( - $this->resolver->listOperationsForPermission('users'), - $this->resolver->listOperationsForPermission('self')), - false + return in_array($attribute, + array_merge( + $this->resolver->listOperationsForPermission('users'), + $this->resolver->listOperationsForPermission('self'), + ['info'] + ), + false ); } @@ -56,6 +59,16 @@ class UserVoter extends ExtendedVoter */ protected function voteOnUser(string $attribute, $subject, User $user): bool { + if ($attribute === 'info') { + //Every logged-in user (non-anonymous) can see the info pages of other users + if (!$user->isAnonymousUser()) { + return true; + } + + //For the anonymous user, use the user read permission + $attribute = 'read'; + } + //Check if the checked user is the user itself if (($subject instanceof User) && $subject->getID() === $user->getID() && $this->resolver->isValidOperation('self', $attribute)) {