diff options
| author | Greg Roach <fisharebest@gmail.com> | 2021-04-30 13:42:41 +0100 |
|---|---|---|
| committer | Greg Roach <fisharebest@gmail.com> | 2021-04-30 13:45:17 +0100 |
| commit | 9608febee91e56bccd24c2c203e71e033a1674bf (patch) | |
| tree | 69b204ca08c0b5638661b4378cc743795640e096 | |
| parent | bedb7c602e8a6c2d93c6665370b55352932f6ed5 (diff) | |
| download | webtrees-9608febee91e56bccd24c2c203e71e033a1674bf.tar.gz webtrees-9608febee91e56bccd24c2c203e71e033a1674bf.tar.bz2 webtrees-9608febee91e56bccd24c2c203e71e033a1674bf.zip | |
Fix: managers cannot edit tree-page blocks
| -rw-r--r-- | app/Http/RequestHandlers/TreePageBlockEdit.php | 3 | ||||
| -rw-r--r-- | app/Http/RequestHandlers/TreePageBlockUpdate.php | 3 | ||||
| -rw-r--r-- | app/Services/HomePageService.php | 45 |
3 files changed, 17 insertions, 34 deletions
diff --git a/app/Http/RequestHandlers/TreePageBlockEdit.php b/app/Http/RequestHandlers/TreePageBlockEdit.php index c41302a5d7..ad61174862 100644 --- a/app/Http/RequestHandlers/TreePageBlockEdit.php +++ b/app/Http/RequestHandlers/TreePageBlockEdit.php @@ -58,9 +58,8 @@ class TreePageBlockEdit implements RequestHandlerInterface $tree = $request->getAttribute('tree'); assert($tree instanceof Tree); - $user = $request->getAttribute('user'); $block_id = (int) $request->getQueryParams()['block_id']; - $block = $this->home_page_service->treeBlock($request, $user); + $block = $this->home_page_service->treeBlock($request); $title = $block->title() . ' — ' . I18N::translate('Preferences'); return $this->viewResponse('modules/edit-block-config', [ diff --git a/app/Http/RequestHandlers/TreePageBlockUpdate.php b/app/Http/RequestHandlers/TreePageBlockUpdate.php index 8aa4444b3f..b60e6c7058 100644 --- a/app/Http/RequestHandlers/TreePageBlockUpdate.php +++ b/app/Http/RequestHandlers/TreePageBlockUpdate.php @@ -55,8 +55,7 @@ class TreePageBlockUpdate implements RequestHandlerInterface $tree = $request->getAttribute('tree'); assert($tree instanceof Tree); - $user = $request->getAttribute('user'); - $block = $this->home_page_service->treeBlock($request, $user); + $block = $this->home_page_service->treeBlock($request); $block_id = (int) $request->getQueryParams()['block_id']; $block->saveBlockConfiguration($request, $block_id); diff --git a/app/Services/HomePageService.php b/app/Services/HomePageService.php index 7fa7691a6f..97c8d5987f 100644 --- a/app/Services/HomePageService.php +++ b/app/Services/HomePageService.php @@ -53,14 +53,13 @@ class HomePageService } /** - * Load a block and check we have permission to edit it. + * Load a tree block. * * @param ServerRequestInterface $request - * @param UserInterface $user * * @return ModuleBlockInterface */ - public function treeBlock(ServerRequestInterface $request, UserInterface $user): ModuleBlockInterface + public function treeBlock(ServerRequestInterface $request): ModuleBlockInterface { $tree = $request->getAttribute('tree'); assert($tree instanceof Tree); @@ -73,25 +72,19 @@ class HomePageService ->whereNull('user_id') ->first(); - if (!$block instanceof stdClass) { - throw new HttpNotFoundException(); - } - - $module = $this->module_service->findByName($block->module_name); + if ($block instanceof stdClass) { + $module = $this->module_service->findByName($block->module_name); - if (!$module instanceof ModuleBlockInterface) { - throw new HttpNotFoundException(); - } - - if ($block->user_id !== $user->id() && !Auth::isAdmin()) { - throw new HttpAccessDeniedException(); + if ($module instanceof ModuleBlockInterface) { + return $module; + } } - return $module; + throw new HttpNotFoundException(); } /** - * Load a block and check we have permission to edit it. + * Load a user block. * * @param ServerRequestInterface $request * @param UserInterface $user @@ -108,23 +101,15 @@ class HomePageService ->whereNull('gedcom_id') ->first(); - if (!$block instanceof stdClass) { - throw new HttpNotFoundException('This block does not exist'); - } - - $module = $this->module_service->findByName($block->module_name); - - if (!$module instanceof ModuleBlockInterface) { - throw new HttpNotFoundException($block->module_name . ' is not a block'); - } - - $block_owner_id = (int) $block->user_id; + if ($block instanceof stdClass) { + $module = $this->module_service->findByName($block->module_name); - if ($block_owner_id !== $user->id() && !Auth::isAdmin()) { - throw new HttpAccessDeniedException('You are not allowed to edit this block'); + if ($module instanceof ModuleBlockInterface) { + return $module; + } } - return $module; + throw new HttpNotFoundException(); } /** |
