summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@gmail.com>2021-04-30 13:42:41 +0100
committerGreg Roach <fisharebest@gmail.com>2021-04-30 13:45:17 +0100
commit9608febee91e56bccd24c2c203e71e033a1674bf (patch)
tree69b204ca08c0b5638661b4378cc743795640e096
parentbedb7c602e8a6c2d93c6665370b55352932f6ed5 (diff)
downloadwebtrees-9608febee91e56bccd24c2c203e71e033a1674bf.tar.gz
webtrees-9608febee91e56bccd24c2c203e71e033a1674bf.tar.bz2
webtrees-9608febee91e56bccd24c2c203e71e033a1674bf.zip
Fix: managers cannot edit tree-page blocks
-rw-r--r--app/Http/RequestHandlers/TreePageBlockEdit.php3
-rw-r--r--app/Http/RequestHandlers/TreePageBlockUpdate.php3
-rw-r--r--app/Services/HomePageService.php45
3 files changed, 17 insertions, 34 deletions
diff --git a/app/Http/RequestHandlers/TreePageBlockEdit.php b/app/Http/RequestHandlers/TreePageBlockEdit.php
index c41302a5d7..ad61174862 100644
--- a/app/Http/RequestHandlers/TreePageBlockEdit.php
+++ b/app/Http/RequestHandlers/TreePageBlockEdit.php
@@ -58,9 +58,8 @@ class TreePageBlockEdit implements RequestHandlerInterface
$tree = $request->getAttribute('tree');
assert($tree instanceof Tree);
- $user = $request->getAttribute('user');
$block_id = (int) $request->getQueryParams()['block_id'];
- $block = $this->home_page_service->treeBlock($request, $user);
+ $block = $this->home_page_service->treeBlock($request);
$title = $block->title() . ' — ' . I18N::translate('Preferences');
return $this->viewResponse('modules/edit-block-config', [
diff --git a/app/Http/RequestHandlers/TreePageBlockUpdate.php b/app/Http/RequestHandlers/TreePageBlockUpdate.php
index 8aa4444b3f..b60e6c7058 100644
--- a/app/Http/RequestHandlers/TreePageBlockUpdate.php
+++ b/app/Http/RequestHandlers/TreePageBlockUpdate.php
@@ -55,8 +55,7 @@ class TreePageBlockUpdate implements RequestHandlerInterface
$tree = $request->getAttribute('tree');
assert($tree instanceof Tree);
- $user = $request->getAttribute('user');
- $block = $this->home_page_service->treeBlock($request, $user);
+ $block = $this->home_page_service->treeBlock($request);
$block_id = (int) $request->getQueryParams()['block_id'];
$block->saveBlockConfiguration($request, $block_id);
diff --git a/app/Services/HomePageService.php b/app/Services/HomePageService.php
index 7fa7691a6f..97c8d5987f 100644
--- a/app/Services/HomePageService.php
+++ b/app/Services/HomePageService.php
@@ -53,14 +53,13 @@ class HomePageService
}
/**
- * Load a block and check we have permission to edit it.
+ * Load a tree block.
*
* @param ServerRequestInterface $request
- * @param UserInterface $user
*
* @return ModuleBlockInterface
*/
- public function treeBlock(ServerRequestInterface $request, UserInterface $user): ModuleBlockInterface
+ public function treeBlock(ServerRequestInterface $request): ModuleBlockInterface
{
$tree = $request->getAttribute('tree');
assert($tree instanceof Tree);
@@ -73,25 +72,19 @@ class HomePageService
->whereNull('user_id')
->first();
- if (!$block instanceof stdClass) {
- throw new HttpNotFoundException();
- }
-
- $module = $this->module_service->findByName($block->module_name);
+ if ($block instanceof stdClass) {
+ $module = $this->module_service->findByName($block->module_name);
- if (!$module instanceof ModuleBlockInterface) {
- throw new HttpNotFoundException();
- }
-
- if ($block->user_id !== $user->id() && !Auth::isAdmin()) {
- throw new HttpAccessDeniedException();
+ if ($module instanceof ModuleBlockInterface) {
+ return $module;
+ }
}
- return $module;
+ throw new HttpNotFoundException();
}
/**
- * Load a block and check we have permission to edit it.
+ * Load a user block.
*
* @param ServerRequestInterface $request
* @param UserInterface $user
@@ -108,23 +101,15 @@ class HomePageService
->whereNull('gedcom_id')
->first();
- if (!$block instanceof stdClass) {
- throw new HttpNotFoundException('This block does not exist');
- }
-
- $module = $this->module_service->findByName($block->module_name);
-
- if (!$module instanceof ModuleBlockInterface) {
- throw new HttpNotFoundException($block->module_name . ' is not a block');
- }
-
- $block_owner_id = (int) $block->user_id;
+ if ($block instanceof stdClass) {
+ $module = $this->module_service->findByName($block->module_name);
- if ($block_owner_id !== $user->id() && !Auth::isAdmin()) {
- throw new HttpAccessDeniedException('You are not allowed to edit this block');
+ if ($module instanceof ModuleBlockInterface) {
+ return $module;
+ }
}
- return $module;
+ throw new HttpNotFoundException();
}
/**