Fix blocking access to some APIs
ClosedPublic
Actions

Authored by machniak on May 19 2023, 3:58 PM.

Details

Reviewers

None

Group Reviewers

Restricted Project

Commits

rKdd0613b1c65c: Fix blocking access to some APIs

Summary

Non-controller users cannot change their own config, email aliases and subscriptions.

Test Plan

./phpunit

Repository

rK kolab

Lint

Lint Not Applicable

Unit

Tests Not Applicable

machniak requested review of this revision.May 19 2023, 3:58 PM

machniak created this revision.

mollekopf added inline comments.

src/app/Http/Controllers/API/V4/UsersController.php
302–304	It's a pure style issue, but I really don't like using strings where it can be avoided: This could just be written as: $canExecuteModification = $requires_controller ? $current_user->canDelete($user) : $current_user->canUpdate($user); or a variation thereof. It's IMO easier to read (I know, subjective), but it also allows typecheckers/linters/autocompletion etc to function. Obviously not a blocker.
src/app/Http/Controllers/RelationController.php
294–296	This seems like an indirect check. Non-controllers cannot delete, therefore we use this to check if they can modify the config here. I think it would be better to have an explicit isController check, or at least supply a comment what we mean to be checking here.