Make user info page public for all logged in user

2025-06-22 09:53:35 +02:00 · 2023-04-08 01:04:10 +02:00 · 2023-04-08 01:04:10 +02:00 · b0d2a22f62
commit b0d2a22f62
parent bcda71cb25
2 changed files with 33 additions and 17 deletions
--- a/src/Controller/UserController.php
+++ b/src/Controller/UserController.php
@ -202,9 +202,11 @@ class UserController extends AdminPages\BaseAdminController
            $user = $tmp;
        } else {
            //Else we must check, if the current user is allowed to access $user
-            $this->denyAccessUnlessGranted('read', $user);
+            $this->denyAccessUnlessGranted('info', $user);
        }

+        //Only show the history table, if the user is the current user
+        if ($user === $this->getUser()) {
            $table = $this->dataTableFactory->createFromType(
                LogDataTable::class,
                [
@ -218,6 +220,7 @@ class UserController extends AdminPages\BaseAdminController
            if ($table->isCallback()) {
                return $table->getResponse();
            }
+        }

        //Show permissions to user
        $builder = $this->createFormBuilder()->add('permissions', PermissionsType::class, [
@ -230,7 +233,7 @@ class UserController extends AdminPages\BaseAdminController
        return $this->renderForm('users/user_info.html.twig', [
            'user' => $user,
            'form' => $builder->getForm(),
-            'datatable' => $table,
+            'datatable' => $table ?? null,
        ]);
    }
 }
--- a/src/Security/Voter/UserVoter.php
+++ b/src/Security/Voter/UserVoter.php
@ -38,9 +38,12 @@ class UserVoter extends ExtendedVoter
    protected function supports(string $attribute, $subject): bool
    {
        if (is_a($subject, User::class, true)) {
-            return in_array($attribute, array_merge(
+            return in_array($attribute,
+                array_merge(
                    $this->resolver->listOperationsForPermission('users'),
-                $this->resolver->listOperationsForPermission('self')),
+                    $this->resolver->listOperationsForPermission('self'),
+                    ['info']
+                ),
                false
            );
        }
@ -56,6 +59,16 @@ class UserVoter extends ExtendedVoter
     */
    protected function voteOnUser(string $attribute, $subject, User $user): bool
    {
+        if ($attribute === 'info') {
+            //Every logged-in user (non-anonymous) can see the info pages of other users
+            if (!$user->isAnonymousUser()) {
+                return true;
+            }
+
+            //For the anonymous user, use the user read permission
+            $attribute = 'read';
+        }
+
        //Check if the checked user is the user itself
        if (($subject instanceof User) && $subject->getID() === $user->getID() &&
            $this->resolver->isValidOperation('self', $attribute)) {