Non-controller users cannot change their own config, email aliases and subscriptions.
Details
Details
- Reviewers
- None
- Group Reviewers
Restricted Project - Commits
- rKdd0613b1c65c: Fix blocking access to some APIs
./phpunit
Diff Detail
Diff Detail
- Repository
- rK kolab
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
src/app/Http/Controllers/API/V4/UsersController.php | ||
---|---|---|
302โ304 | It's a pure style issue, but I really don't like using strings where it can be avoided: This could just be written as: $canExecuteModification = $requires_controller ? $current_user->canDelete($user) : $current_user->canUpdate($user); or a variation thereof. It's IMO easier to read (I know, subjective), but it also allows typecheckers/linters/autocompletion etc to function. Obviously not a blocker. | |
src/app/Http/Controllers/RelationController.php | ||
294โ296 | This seems like an indirect check. Non-controllers cannot delete, therefore we use this to check if they can modify the config here. I think it would be better to have an explicit isController check, or at least supply a comment what we mean to be checking here. |