Skip to content

Commit

Permalink
Guests: Prevented access to profile routes
Browse files Browse the repository at this point in the history 
Prevention of action on certain routes for guest user when public access
is enabled. Could not see a way this could be a security issue, beyond a
mild nuisance that'd only be visible if public users can edit, which
would present larger potential nuisance anyway.
  • Loading branch information
@ssddanbrown
ssddanbrown committed Aug 26, 2023
1 parent 32516f7 commit 9100a82
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 0 deletions.
4 changes: 4 additions & 0 deletions app/Users/Controllers/UserController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ public function store(Request $request)
*/
public function edit(int $id, SocialAuthService $socialAuthService)
{
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);

$user = $this->userRepo->getById($id);
Expand Down Expand Up @@ -133,6 +134,7 @@ public function edit(int $id, SocialAuthService $socialAuthService)
public function update(Request $request, int $id)
{
$this->preventAccessInDemoMode();
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);

$validated = $this->validate($request, [
Expand Down Expand Up @@ -176,6 +178,7 @@ public function update(Request $request, int $id)
*/
public function delete(int $id)
{
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);

$user = $this->userRepo->getById($id);
Expand All @@ -192,6 +195,7 @@ public function delete(int $id)
public function destroy(Request $request, int $id)
{
$this->preventAccessInDemoMode();
$this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);

$user = $this->userRepo->getById($id);
Expand Down
12 changes: 12 additions & 0 deletions tests/PublicActionTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,4 +207,16 @@ public function test_public_view_can_take_on_other_roles()

$this->withHtml($resp)->assertLinkExists($page->getUrl('/edit'));
}

public function test_public_user_cannot_view_or_update_their_profile()
{
$this->setSettings(['app-public' => 'true']);
$guest = $this->users->guest();

$resp = $this->get($guest->getEditUrl());
$this->assertPermissionError($resp);

$resp = $this->put($guest->getEditUrl(), ['name' => 'My new guest name']);
$this->assertPermissionError($resp);
}
}

0 comments on commit 9100a82

Please sign in to comment.