From cb13d64a1101bf9ab0f3aaf5613266cad786e47a Mon Sep 17 00:00:00 2001
From: Welling Guzman <hola@wellingguzman.com>
Date: Fri, 22 Jun 2018 15:22:45 -0400
Subject: [PATCH] enforce users table permission with user permission

for the moment we are going to let the user edit any user information as long as it has the permission to it
---
 .../Application/CoreServicesProvider.php        | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/src/core/Directus/Application/CoreServicesProvider.php b/src/core/Directus/Application/CoreServicesProvider.php
index 6ff90d21cf..eb0a70fc9a 100644
--- a/src/core/Directus/Application/CoreServicesProvider.php
+++ b/src/core/Directus/Application/CoreServicesProvider.php
@@ -254,10 +254,10 @@ protected function getEmitter()
                 $privilegesTable->insertPrivilege([
                     'role' => $data['id'],
                     'collection' => 'directus_users',
-                    'create' => 0,
-                    'read' => 1,
-                    'update' => 1,
-                    'delete' => 0,
+                    'create' => Acl::LEVEL_NONE,
+                    'read' => Acl::LEVEL_USER,
+                    'update' => Acl::LEVEL_USER,
+                    'delete' => Acl::LEVEL_NONE,
                     'read_field_blacklist' => 'token',
                     'write_field_blacklist' => 'group,token'
                 ]);
@@ -584,18 +584,9 @@ protected function getEmitter()
                 }
             };
 
-            $preventOtherUsersFromUpdateAUser = function (array $payload) use ($container) {
-                /** @var Acl $acl */
-                $acl = $container->get('acl');
-
-                if (!$acl->isAdmin() && $acl->getUserId() != ArrayUtils::get($payload, 'id')) {
-                    throw new ForbiddenException('You are not allowed to edit other user information');
-                }
-            };
             $emitter->addAction('collection.insert.directus_user_roles:before', $preventNonAdminFromUpdateRoles);
             $emitter->addAction('collection.update.directus_user_roles:before', $preventNonAdminFromUpdateRoles);
             $emitter->addAction('collection.delete.directus_user_roles:before', $preventNonAdminFromUpdateRoles);
-            $emitter->addAction('collection.update.directus_users:before', $preventOtherUsersFromUpdateAUser);
             $generateExternalId = function (Payload $payload) {
                 // generate an external id if none is passed
                 if (!$payload->get('external_id')) {