Fix issue where non admin.super/admin.users users could see other users profiles [#713]

2026-02-22 14:38:06 +01:00 · 2017-01-31 11:11:38 +01:00
parent f7401543df
commit 01392881d5
2 changed files with 23 additions and 12 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@

 1. [](#bugfix)
    * Fixed issue `admin.super` or `admin.users` users changing the account when saving another user [#713](https://github.com/getgrav/grav-plugin-admin/issues/713)
+    * Fix issue where non `admin.super`/`admin.users` users could see other users profiles [#713](https://github.com/getgrav/grav-plugin-admin/issues/713)

 # v1.2.10
 ## 1/30/2017
--- a/themes/grav/templates/user.html.twig
+++ b/themes/grav/templates/user.html.twig
@@ -4,27 +4,36 @@
    {% set user = admin.data('users/' ~ admin.route) %}
    {% set title = "PLUGIN_ADMIN.USER"|tu ~ ": " ~ admin.route|e %}
 {% else %}
-    {% set title = "PLUGIN_ADMIN.USERS"|tu %}
+    {% set title = "PLUGIN_ADMIN_PRO.USERS"|tu %}
 {% endif %}

 {% block titlebar %}
    {% if not admin.route %}
-        <div class="button-bar">
-            <a class="button" href="#modal" data-remodal-target="modal"><i class="fa fa-plus"></i> {{ "PLUGIN_ADMIN.ADD_ACCOUNT"|tu }}</a>
-        </div>
-        <h1><i class="fa fa-fw fa-users"></i> {{ "PLUGIN_ADMIN.USERS"|tu }}</h1>
+        {% if authorize(['admin.users', 'admin.super']) %}
+            <div class="button-bar">
+                <a class="button" href="#modal" data-remodal-target="modal"><i class="fa fa-plus"></i> {{ "PLUGIN_ADMIN.ADD_ACCOUNT"|tu }}</a>
+            </div>
+            <h1><i class="fa fa-fw fa-users"></i> {{ "PLUGIN_ADMIN.USERS"|tu }}</h1>
+        {% else %}
+            <h1>{{ "PLUGIN_ADMIN.ACCESS_DENIED"|tu }}</h1>
+        {% endif %}
    {% else %}
-        <div class="button-bar">
-            {% if config.plugins["admin-pro"].enabled %}
-            <a class="button" href="{{ base_url }}/users"><i class="fa fa-reply"></i> {{ "PLUGIN_ADMIN.BACK"|tu }}</a>
-            {% endif %}
-            <button class="button" type="submit" name="task" value="save" form="blueprints"><i class="fa fa-check"></i> {{ "PLUGIN_ADMIN.SAVE"|tu }}</button>
-        </div>
-        <h1><i class="fa fa-fw fa-user"></i> {{ "PLUGIN_ADMIN.USER"|tu }}: {{ user.username|e }}</h1>
+        {% if authorize(['admin.users', 'admin.super']) or grav.user.username == user.username %}
+            <div class="button-bar">
+                {% if config.plugins["admin-pro"].enabled %}
+                <a class="button" href="{{ base_url }}/users"><i class="fa fa-reply"></i> {{ "PLUGIN_ADMIN.BACK"|tu }}</a>
+                {% endif %}
+                <button class="button" type="submit" name="task" value="save" form="blueprints"><i class="fa fa-check"></i> {{ "PLUGIN_ADMIN.SAVE"|tu }}</button>
+            </div>
+            <h1><i class="fa fa-fw fa-user"></i> {{ "PLUGIN_ADMIN.USER"|tu }}: {{ user.username|e }}</h1>
+        {% else %}
+            <h1>{{ "PLUGIN_ADMIN.ACCESS_DENIED"|tu }}</h1>
+        {% endif %}
    {% endif %}
 {% endblock %}

 {% block content %}
+    {% if authorize(['admin.users', 'admin.super']) or grav.user.username == user.username %}
    <div>
        {% if not admin.route %}
            {% include 'partials/users-list.html.twig' %}
@@ -50,5 +59,6 @@
            </div>
        </form>
    </div>
+    {% endif %}
 {% endblock %}