Guests: Prevented access to profile routes

Prevention of action on certain routes for guest user when public access is enabled. Could not see a way this could be a security issue, beyond a mild nuisance that'd only be visible if public users can edit, which would present larger potential nuisance anyway.
2024-10-01 01:36:00 -04:00 · 2023-08-26 14:07:48 +01:00 · 2023-08-26 14:07:48 +01:00 · 9100a82b47
commit 9100a82b47
parent 32516f7b68
2 changed files with 16 additions and 0 deletions
--- a/app/Users/Controllers/UserController.php
+++ b/app/Users/Controllers/UserController.php
@ -103,6 +103,7 @@ class UserController extends Controller
     */
    public function edit(int $id, SocialAuthService $socialAuthService)
    {
        $this->preventGuestAccess();
        $this->checkPermissionOrCurrentUser('users-manage', $id);
        $user = $this->userRepo->getById($id);
@ -133,6 +134,7 @@ class UserController extends Controller
    public function update(Request $request, int $id)
    {
        $this->preventAccessInDemoMode();
        $this->preventGuestAccess();
        $this->checkPermissionOrCurrentUser('users-manage', $id);
        $validated = $this->validate($request, [
@ -176,6 +178,7 @@ class UserController extends Controller
     */
    public function delete(int $id)
    {
        $this->preventGuestAccess();
        $this->checkPermissionOrCurrentUser('users-manage', $id);
        $user = $this->userRepo->getById($id);
@ -192,6 +195,7 @@ class UserController extends Controller
    public function destroy(Request $request, int $id)
    {
        $this->preventAccessInDemoMode();
        $this->preventGuestAccess();
        $this->checkPermissionOrCurrentUser('users-manage', $id);
        $user = $this->userRepo->getById($id);
--- a/tests/PublicActionTest.php
+++ b/tests/PublicActionTest.php
@ -207,4 +207,16 @@ class PublicActionTest extends TestCase
        $this->withHtml($resp)->assertLinkExists($page->getUrl('/edit'));
    }
    public function test_public_user_cannot_view_or_update_their_profile()
    {
        $this->setSettings(['app-public' => 'true']);
        $guest = $this->users->guest();
        $resp = $this->get($guest->getEditUrl());
        $this->assertPermissionError($resp);
        $resp = $this->put($guest->getEditUrl(), ['name' => 'My new guest name']);
        $this->assertPermissionError($resp);
    }
 }