restricted user management to a couple of users
This commit is contained in:
Luca Haid
@@ -12,6 +12,9 @@ class UserController extends mfBaseController
|
||||
{
|
||||
private $me;
|
||||
|
||||
// User IDs allowed to manage (add/edit/delete) users
|
||||
private const ALLOWED_USER_MANAGER_IDS = [2, 5, 9, 6, 89, 145, 24];
|
||||
|
||||
protected function init($request = null)
|
||||
{
|
||||
$this->needlogin = true;
|
||||
@@ -24,6 +27,11 @@ class UserController extends mfBaseController
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') $this->postData = json_decode(file_get_contents('php://input'), true);
|
||||
}
|
||||
|
||||
private function canManageUsers(): bool
|
||||
{
|
||||
return in_array($this->me->id, self::ALLOWED_USER_MANAGER_IDS);
|
||||
}
|
||||
|
||||
protected function indexAction($request)
|
||||
{
|
||||
if (!$this->isAdmin()) {
|
||||
@@ -32,6 +40,7 @@ class UserController extends mfBaseController
|
||||
|
||||
Helper::renderVue($this, "User", "Benutzer", [
|
||||
"IS_ADMIN" => $this->me->isAdmin(),
|
||||
"CAN_MANAGE_USERS" => $this->canManageUsers(),
|
||||
"USERS" => array_map(fn($user) => [
|
||||
"username" => $user->username,
|
||||
"name" => $user->name,
|
||||
@@ -53,6 +62,7 @@ class UserController extends mfBaseController
|
||||
|
||||
protected function formAction() {
|
||||
if (!$this->isAdmin()) $this->redirect("Dashboard");
|
||||
if (!$this->canManageUsers()) $this->redirect("User");
|
||||
|
||||
$id = $this->request->id;
|
||||
$user = ($id && is_numeric($id) && $id > 0) ? new User($id) : new User();
|
||||
@@ -178,6 +188,7 @@ class UserController extends mfBaseController
|
||||
|
||||
protected function generateApikeyAction($request) {
|
||||
if (!$this->isAdmin()) $this->redirect("Dashboard");
|
||||
if (!$this->canManageUsers()) $this->redirect("User");
|
||||
|
||||
$id = $request['id'];
|
||||
if (!is_numeric($id) || $id < 1) {
|
||||
@@ -207,6 +218,11 @@ class UserController extends mfBaseController
|
||||
unset($r->address_id);
|
||||
}
|
||||
|
||||
// Only allowed users can create/edit other users
|
||||
if ($this->isAdmin() && !$this->canManageUsers()) {
|
||||
self::redirect('User');
|
||||
}
|
||||
|
||||
if (!$id && !$r->username) self::redirect('User');
|
||||
|
||||
$user = new User($id);
|
||||
@@ -569,7 +585,7 @@ class UserController extends mfBaseController
|
||||
}
|
||||
|
||||
protected function impersonateAction() {
|
||||
if(!$this->me->isAdmin() || $this->me->address_id != 1) {
|
||||
if(!$this->me->isAdmin() || $this->me->address_id != 1 || !$this->canManageUsers()) {
|
||||
header("HTTP/1.1 403 Forbidden");
|
||||
exit;
|
||||
}
|
||||
@@ -590,6 +606,10 @@ class UserController extends mfBaseController
|
||||
|
||||
protected function sendLoginEmailAction()
|
||||
{
|
||||
if (!$this->canManageUsers()) {
|
||||
self::sendError("Keine Berechtigung.");
|
||||
}
|
||||
|
||||
$id = $this->request->id;
|
||||
if (!$id || !is_numeric($id)) {
|
||||
self::sendError("Benutzer-ID fehlt oder ist ungültig.");
|
||||
|
||||
Reference in New Issue
Block a user