D4328.1775467796.diff
No OneTemporary
Actions

Authored By

Unknown

Size

3 KB

Referenced Files

None

Subscribers

None

D4328.1775467796.diff
View Options

	diff --git a/src/app/Http/Controllers/API/V4/UsersController.php b/src/app/Http/Controllers/API/V4/UsersController.php
	--- a/src/app/Http/Controllers/API/V4/UsersController.php
	+++ b/src/app/Http/Controllers/API/V4/UsersController.php
	@@ -296,9 +296,12 @@
	}

	$current_user = $this->guard()->user();
	+ $requires_controller = $request->skus !== null \|\| $request->aliases !== null;
	+ $can_update = $requires_controller ? $current_user->canDelete($user) : $current_user->canUpdate($user);

	- // TODO: Decide what attributes a user can change on his own profile
	- if (!$current_user->canUpdate($user)) {
	+ // Only wallet controller can set subscriptions and aliases
	+ // TODO: Consider changes in canUpdate() or introduce isController()
	+ if (!$can_update) {
	return $this->errorResponse(403);
	}

	@@ -306,11 +309,6 @@
	return $error_response;
	}

	- // Entitlements, only controller can do that
	- if ($request->skus !== null && !$current_user->canDelete($user)) {
	- return $this->errorResponse(422, "You have no permission to change entitlements");
	- }
	-
	DB::beginTransaction();

	SkusController::updateEntitlements($user, $request->skus);
	diff --git a/src/app/Http/Controllers/RelationController.php b/src/app/Http/Controllers/RelationController.php
	--- a/src/app/Http/Controllers/RelationController.php
	+++ b/src/app/Http/Controllers/RelationController.php
	@@ -291,7 +291,9 @@
	return $this->errorResponse(404);
	}

	- if (!$this->guard()->user()->canUpdate($resource)) {
	+ // Only wallet controller can do this, therefor canDelete() not canUpdate()
	+ // TODO: Consider changes in canUpdate() or introduce isController()
	+ if (!$this->guard()->user()->canDelete($resource)) {
	return $this->errorResponse(403);
	}

	diff --git a/src/tests/Feature/Controller/UsersTest.php b/src/tests/Feature/Controller/UsersTest.php
	--- a/src/tests/Feature/Controller/UsersTest.php
	+++ b/src/tests/Feature/Controller/UsersTest.php
	@@ -693,7 +693,7 @@

	$response->assertStatus(404);

	- // Test access by user not being a wallet controller
	+ // Test access by user not being a wallet controller (controller's config change)
	$post = ['greylist_enabled' => 1];
	$response = $this->actingAs($jack)->post("/api/v4/users/{$john->id}/config", $post);
	$json = $response->json();
	@@ -704,6 +704,10 @@
	$this->assertSame("Access denied", $json['message']);
	$this->assertCount(2, $json);

	+ // Test access by user not being a wallet controller (self config change)
	+ $response = $this->actingAs($jack)->post("/api/v4/users/{$jack->id}/config", $post);
	+ $response->assertStatus(403);
	+
	// Test some invalid data
	$post = ['grey' => 1, 'password_policy' => 'min:1,max:255'];
	$response = $this->actingAs($john)->post("/api/v4/users/{$john->id}/config", $post);
	@@ -1159,10 +1163,14 @@
	$owner->assignPackage($package_kolab);
	$owner->assignPackage($package_lite, $user);

	- // Non-controller cannot update his own entitlements
	+ // Non-controller cannot update his own entitlements, nor aliases
	$post = ['skus' => []];
	$response = $this->actingAs($user)->put("/api/v4/users/{$user->id}", $post);
	- $response->assertStatus(422);
	+ $response->assertStatus(403);
	+
	+ $post = ['aliases' => []];
	+ $response = $this->actingAs($user)->put("/api/v4/users/{$user->id}", $post);
	+ $response->assertStatus(403);

	// Test updating entitlements
	$post = [

File Metadata

Mime Type: text/plain
Expires: Mon, Apr 6, 9:29 AM (13 h, 26 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 18775188
Default Alt Text: D4328.1775467796.diff (3 KB)

D4328.1775467796.diffNo OneTemporaryActions

D4328.1775467796.diffView Options

File Metadata

Event Timeline

D4328.1775467796.diff
No OneTemporary
Actions

D4328.1775467796.diff
View Options