Improved user access checks

routes/user.php

@@ -5,9 +5,20 @@ use Instante\Bootstrap3Renderer\BootstrapRenderer;
 use Nette\Security\Passwords;
 
 function find_user($id) {
-    global $db;
-    require_user_access($id);
-    return $db->table('user')->get($id);
+    global $app, $db, $user;
+
+    if (!$user->isLoggedIn())
+        $app->redirect(ROOT_URL . '/login');
+
+    if ($user->getId() != $id && !in_array('admin', $user->getRoles()))
+        $app->halt(403, _('No access to this user'));
+
+    $dbuser = $db->table('user')->get($id);
+
+    if (!$dbuser)
+        $app->halt(403, _('User not found'));
+
+    return $dbuser;
 }
 
 function edit_user_form($dbuser) {
@@ -114,8 +125,7 @@ function plot_filter_form($dbuser, $matches, $default_discipline) {
 }
 
 $app->get('/user/:id/plot', function ($id) use ($app, $db, $user) {
-    require_user_access($id);
-    $dbuser = $db->table('user')->get($user->getId());
+    $dbuser = find_user($id);
 
     $matches = $db->table('match')
         ->where(array('user_id' => $id))

util.php

@@ -45,16 +45,6 @@ function set_accept_locale($supported_languages=null) {
     return null;
 }
 
-function require_user_access($user_id) {
-    global $user, $app;
-
-    if (!$user->isLoggedIn())
-        $app->redirect(ROOT_URL . '/login');
-
-    if ($user->getId() != $user_id && !in_array('admin', $user->getRoles()))
-        $app->halt(403, _('No access to this user'));
-}
-
 function find_match($id) {
     global $app, $db, $user;
     $match = $db->table('match')->get($id);