Guests: Prevented access to profile routes

Prevention of action on certain routes for guest user when public access
is enabled. Could not see a way this could be a security issue, beyond a
mild nuisance that'd only be visible if public users can edit, which
would present larger potential nuisance anyway.
This commit is contained in:
Dan Brown 2023-08-26 14:07:48 +01:00
parent 32516f7b68
commit 9100a82b47
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
2 changed files with 16 additions and 0 deletions

View File

@ -103,6 +103,7 @@ class UserController extends Controller
*/ */
public function edit(int $id, SocialAuthService $socialAuthService) public function edit(int $id, SocialAuthService $socialAuthService)
{ {
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id); $this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id); $user = $this->userRepo->getById($id);
@ -133,6 +134,7 @@ class UserController extends Controller
public function update(Request $request, int $id) public function update(Request $request, int $id)
{ {
$this->preventAccessInDemoMode(); $this->preventAccessInDemoMode();
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id); $this->checkPermissionOrCurrentUser('users-manage', $id);
$validated = $this->validate($request, [ $validated = $this->validate($request, [
@ -176,6 +178,7 @@ class UserController extends Controller
*/ */
public function delete(int $id) public function delete(int $id)
{ {
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id); $this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id); $user = $this->userRepo->getById($id);
@ -192,6 +195,7 @@ class UserController extends Controller
public function destroy(Request $request, int $id) public function destroy(Request $request, int $id)
{ {
$this->preventAccessInDemoMode(); $this->preventAccessInDemoMode();
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id); $this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id); $user = $this->userRepo->getById($id);

View File

@ -207,4 +207,16 @@ class PublicActionTest extends TestCase
$this->withHtml($resp)->assertLinkExists($page->getUrl('/edit')); $this->withHtml($resp)->assertLinkExists($page->getUrl('/edit'));
} }
public function test_public_user_cannot_view_or_update_their_profile()
{
$this->setSettings(['app-public' => 'true']);
$guest = $this->users->guest();
$resp = $this->get($guest->getEditUrl());
$this->assertPermissionError($resp);
$resp = $this->put($guest->getEditUrl(), ['name' => 'My new guest name']);
$this->assertPermissionError($resp);
}
} }