Skip to content

Commit

Permalink
enforce users table permission with user permission
Browse files Browse the repository at this point in the history 
for the moment we are going to let the user edit any user information as long as it has the permission to it
  • Loading branch information
@wellingguzman
wellingguzman committed Jun 22, 2018
1 parent 25564c9 commit cb13d64
Showing 1 changed file with 4 additions and 13 deletions.
17 changes: 4 additions & 13 deletions src/core/Directus/Application/CoreServicesProvider.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,10 +254,10 @@ protected function getEmitter()
$privilegesTable->insertPrivilege([
'role' => $data['id'],
'collection' => 'directus_users',
'create' => 0,
'read' => 1,
'update' => 1,
'delete' => 0,
'create' => Acl::LEVEL_NONE,
'read' => Acl::LEVEL_USER,
'update' => Acl::LEVEL_USER,
'delete' => Acl::LEVEL_NONE,
'read_field_blacklist' => 'token',
'write_field_blacklist' => 'group,token'
]);
Expand Down Expand Up @@ -584,18 +584,9 @@ protected function getEmitter()
}
};

$preventOtherUsersFromUpdateAUser = function (array $payload) use ($container) {
/** @var Acl $acl */
$acl = $container->get('acl');

if (!$acl->isAdmin() && $acl->getUserId() != ArrayUtils::get($payload, 'id')) {
throw new ForbiddenException('You are not allowed to edit other user information');
}
};
$emitter->addAction('collection.insert.directus_user_roles:before', $preventNonAdminFromUpdateRoles);
$emitter->addAction('collection.update.directus_user_roles:before', $preventNonAdminFromUpdateRoles);
$emitter->addAction('collection.delete.directus_user_roles:before', $preventNonAdminFromUpdateRoles);
$emitter->addAction('collection.update.directus_users:before', $preventOtherUsersFromUpdateAUser);
$generateExternalId = function (Payload $payload) {
// generate an external id if none is passed
if (!$payload->get('external_id')) {
Expand Down

0 comments on commit cb13d64

Please sign in to comment.