From f417675b1d4987de06698b64c03022f21d4b22d6 Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Tue, 6 Aug 2019 21:29:42 +0100 Subject: [PATCH] Prevented normal users from changing own email To address #1542 Updates to only allow email changes by users with the users-manage role permission. --- app/Http/Controllers/UserController.php | 7 ++++- resources/views/form/text.blade.php | 1 + resources/views/users/form.blade.php | 2 +- tests/Permissions/RolesTest.php | 37 +++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 2 deletions(-) diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php index 8191fbfe2..570896ab6 100644 --- a/app/Http/Controllers/UserController.php +++ b/app/Http/Controllers/UserController.php @@ -146,7 +146,12 @@ class UserController extends Controller ]); $user = $this->userRepo->getById($id); - $user->fill($request->all()); + $user->fill($request->except(['email'])); + + // Email updates + if (userCan('users-manage') && $request->filled('email')) { + $user->email = $request->get('email'); + } // Role updates if (userCan('users-manage') && $request->filled('roles')) { diff --git a/resources/views/form/text.blade.php b/resources/views/form/text.blade.php index 948a55cbc..909e87286 100644 --- a/resources/views/form/text.blade.php +++ b/resources/views/form/text.blade.php @@ -1,6 +1,7 @@ has($name)) class="text-neg" @endif @if(isset($placeholder)) placeholder="{{$placeholder}}" @endif + @if(isset($disabled) && $disabled) disabled="disabled" @endif @if(isset($tabindex)) tabindex="{{$tabindex}}" @endif @if(isset($model) || old($name)) value="{{ old($name) ? old($name) : $model->$name}}" @endif> @if($errors->has($name)) diff --git a/resources/views/users/form.blade.php b/resources/views/users/form.blade.php index 96beb7b2f..3d073b2c8 100644 --- a/resources/views/users/form.blade.php +++ b/resources/views/users/form.blade.php @@ -19,7 +19,7 @@
@if($authMethod !== 'ldap' || userCan('users-manage')) - @include('form.text', ['name' => 'email']) + @include('form.text', ['name' => 'email', 'disabled' => !userCan('users-manage')]) @endif
diff --git a/tests/Permissions/RolesTest.php b/tests/Permissions/RolesTest.php index 5bbdcf0bb..a1f193643 100644 --- a/tests/Permissions/RolesTest.php +++ b/tests/Permissions/RolesTest.php @@ -119,6 +119,43 @@ class RolesTest extends BrowserKitTest $this->actingAs($this->user)->visit('/')->dontSee($usersLink); } + public function test_user_cannot_change_email_unless_they_have_manage_users_permission() + { + $userProfileUrl = '/settings/users/' . $this->user->id; + $originalEmail = $this->user->email; + $this->actingAs($this->user); + + $this->visit($userProfileUrl) + ->assertResponseOk() + ->seeElement('input[name=email][disabled]'); + $this->put($userProfileUrl, [ + 'name' => 'my_new_name', + 'email' => 'new_email@example.com', + ]); + $this->seeInDatabase('users', [ + 'id' => $this->user->id, + 'email' => $originalEmail, + 'name' => 'my_new_name', + ]); + + $this->giveUserPermissions($this->user, ['users-manage']); + + $this->visit($userProfileUrl) + ->assertResponseOk() + ->dontSeeElement('input[name=email][disabled]') + ->seeElement('input[name=email]'); + $this->put($userProfileUrl, [ + 'name' => 'my_new_name_2', + 'email' => 'new_email@example.com', + ]); + + $this->seeInDatabase('users', [ + 'id' => $this->user->id, + 'email' => 'new_email@example.com', + 'name' => 'my_new_name_2', + ]); + } + public function test_user_roles_manage_permission() { $this->actingAs($this->user)->visit('/settings/roles')