Make user info page public for all logged in user

2025-06-22 09:53:35 +02:00 · 2023-04-08 01:04:10 +02:00 · 2023-04-08 01:04:10 +02:00 · b0d2a22f62
commit b0d2a22f62
parent bcda71cb25
2 changed files with 33 additions and 17 deletions
--- a/src/Controller/UserController.php
+++ b/src/Controller/UserController.php
@ -202,21 +202,24 @@ class UserController extends AdminPages\BaseAdminController
            $user = $tmp;
        } else {
            //Else we must check, if the current user is allowed to access $user
-            $this->denyAccessUnlessGranted('read', $user);
+            $this->denyAccessUnlessGranted('info', $user);
        }

-        $table = $this->dataTableFactory->createFromType(
-            LogDataTable::class,
-            [
-                'filter_elements' => $user,
-                'mode' => 'element_history',
-            ],
-            ['pageLength' => 10]
-        )
-            ->handleRequest($request);
+        //Only show the history table, if the user is the current user
+        if ($user === $this->getUser()) {
+            $table = $this->dataTableFactory->createFromType(
+                LogDataTable::class,
+                [
+                    'filter_elements' => $user,
+                    'mode' => 'element_history',
+                ],
+                ['pageLength' => 10]
+            )
+                ->handleRequest($request);

-        if ($table->isCallback()) {
-            return $table->getResponse();
+            if ($table->isCallback()) {
+                return $table->getResponse();
+            }
        }

        //Show permissions to user
@ -230,7 +233,7 @@ class UserController extends AdminPages\BaseAdminController
        return $this->renderForm('users/user_info.html.twig', [
            'user' => $user,
            'form' => $builder->getForm(),
-            'datatable' => $table,
+            'datatable' => $table ?? null,
        ]);
    }
 }
--- a/src/Security/Voter/UserVoter.php
+++ b/src/Security/Voter/UserVoter.php
@ -38,10 +38,13 @@ class UserVoter extends ExtendedVoter
    protected function supports(string $attribute, $subject): bool
    {
        if (is_a($subject, User::class, true)) {
-            return in_array($attribute, array_merge(
-                $this->resolver->listOperationsForPermission('users'),
-                $this->resolver->listOperationsForPermission('self')),
-                            false
+            return in_array($attribute,
+                array_merge(
+                    $this->resolver->listOperationsForPermission('users'),
+                    $this->resolver->listOperationsForPermission('self'),
+                    ['info']
+                ),
+                false
            );
        }

@ -56,6 +59,16 @@ class UserVoter extends ExtendedVoter
     */
    protected function voteOnUser(string $attribute, $subject, User $user): bool
    {
+        if ($attribute === 'info') {
+            //Every logged-in user (non-anonymous) can see the info pages of other users
+            if (!$user->isAnonymousUser()) {
+                return true;
+            }
+
+            //For the anonymous user, use the user read permission
+            $attribute = 'read';
+        }
+
        //Check if the checked user is the user itself
        if (($subject instanceof User) && $subject->getID() === $user->getID() &&
            $this->resolver->isValidOperation('self', $attribute)) {