Skip to content

Commit 9100a82

Browse files
ssddanbrownssddanbrown
committed
Guests: Prevented access to profile routes
Prevention of action on certain routes for guest user when public access is enabled. Could not see a way this could be a security issue, beyond a mild nuisance that'd only be visible if public users can edit, which would present larger potential nuisance anyway.
1 parent 32516f7 commit 9100a82

File tree

2 files changed

+16
-0
lines changed

2 files changed

+16
-0
lines changed

app/Users/Controllers/UserController.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ public function store(Request $request)
103103
*/
104104
public function edit(int $id, SocialAuthService $socialAuthService)
105105
{
106+
$this->preventGuestAccess();
106107
$this->checkPermissionOrCurrentUser('users-manage', $id);
107108

108109
$user = $this->userRepo->getById($id);
@@ -133,6 +134,7 @@ public function edit(int $id, SocialAuthService $socialAuthService)
133134
public function update(Request $request, int $id)
134135
{
135136
$this->preventAccessInDemoMode();
137+
$this->preventGuestAccess();
136138
$this->checkPermissionOrCurrentUser('users-manage', $id);
137139

138140
$validated = $this->validate($request, [
@@ -176,6 +178,7 @@ public function update(Request $request, int $id)
176178
*/
177179
public function delete(int $id)
178180
{
181+
$this->preventGuestAccess();
179182
$this->checkPermissionOrCurrentUser('users-manage', $id);
180183

181184
$user = $this->userRepo->getById($id);
@@ -192,6 +195,7 @@ public function delete(int $id)
192195
public function destroy(Request $request, int $id)
193196
{
194197
$this->preventAccessInDemoMode();
198+
$this->preventGuestAccess();
195199
$this->checkPermissionOrCurrentUser('users-manage', $id);
196200

197201
$user = $this->userRepo->getById($id);

tests/PublicActionTest.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,4 +207,16 @@ public function test_public_view_can_take_on_other_roles()
207207

208208
$this->withHtml($resp)->assertLinkExists($page->getUrl('/edit'));
209209
}
210+
211+
public function test_public_user_cannot_view_or_update_their_profile()
212+
{
213+
$this->setSettings(['app-public' => 'true']);
214+
$guest = $this->users->guest();
215+
216+
$resp = $this->get($guest->getEditUrl());
217+
$this->assertPermissionError($resp);
218+
219+
$resp = $this->put($guest->getEditUrl(), ['name' => 'My new guest name']);
220+
$this->assertPermissionError($resp);
221+
}
210222
}

0 commit comments

Comments
 (0)