Commit a6670b98 authored by Taddeus Kroes's avatar Taddeus Kroes

Improved user access checks

parent ca355adb
...@@ -5,9 +5,20 @@ use Instante\Bootstrap3Renderer\BootstrapRenderer; ...@@ -5,9 +5,20 @@ use Instante\Bootstrap3Renderer\BootstrapRenderer;
use Nette\Security\Passwords; use Nette\Security\Passwords;
function find_user($id) { function find_user($id) {
global $db; global $app, $db, $user;
require_user_access($id);
return $db->table('user')->get($id); if (!$user->isLoggedIn())
$app->redirect(ROOT_URL . '/login');
if ($user->getId() != $id && !in_array('admin', $user->getRoles()))
$app->halt(403, _('No access to this user'));
$dbuser = $db->table('user')->get($id);
if (!$dbuser)
$app->halt(403, _('User not found'));
return $dbuser;
} }
function edit_user_form($dbuser) { function edit_user_form($dbuser) {
...@@ -114,8 +125,7 @@ function plot_filter_form($dbuser, $matches, $default_discipline) { ...@@ -114,8 +125,7 @@ function plot_filter_form($dbuser, $matches, $default_discipline) {
} }
$app->get('/user/:id/plot', function ($id) use ($app, $db, $user) { $app->get('/user/:id/plot', function ($id) use ($app, $db, $user) {
require_user_access($id); $dbuser = find_user($id);
$dbuser = $db->table('user')->get($user->getId());
$matches = $db->table('match') $matches = $db->table('match')
->where(array('user_id' => $id)) ->where(array('user_id' => $id))
......
...@@ -45,16 +45,6 @@ function set_accept_locale($supported_languages=null) { ...@@ -45,16 +45,6 @@ function set_accept_locale($supported_languages=null) {
return null; return null;
} }
function require_user_access($user_id) {
global $user, $app;
if (!$user->isLoggedIn())
$app->redirect(ROOT_URL . '/login');
if ($user->getId() != $user_id && !in_array('admin', $user->getRoles()))
$app->halt(403, _('No access to this user'));
}
function find_match($id) { function find_match($id) {
global $app, $db, $user; global $app, $db, $user;
$match = $db->table('match')->get($id); $match = $db->table('match')->get($id);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment