github-mirror/BookStack
github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-04-02 21:59:06 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

User form: Always show external auth field, update access control

Browse Source 
Updated old user management routes to only be accessible with permission
to manage users, so also removed old content controls checking for that
permission.
This commit is contained in:
Dan Brown 2023-10-19 10:20:04 +01:00
parent e4ea73ee25
commit cf72e48d2a
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
4 changed files with 27 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
app/Users/Controllers/UserController.php
View File

@ -103,8 +103,7 @@ class UserController extends Controller
*/ */
public function edit(int $id, SocialAuthService $socialAuthService) public function edit(int $id, SocialAuthService $socialAuthService)
{ {
$this->preventGuestAccess(); $this->checkPermission('users-manage');
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id); $user = $this->userRepo->getById($id);
$user->load(['apiTokens', 'mfaValues']); $user->load(['apiTokens', 'mfaValues']);
@ -134,8 +133,7 @@ class UserController extends Controller
public function update(Request $request, int $id) public function update(Request $request, int $id)
{ {
$this->preventAccessInDemoMode(); $this->preventAccessInDemoMode();
$this->preventGuestAccess(); $this->checkPermission('users-manage');
$this->checkPermissionOrCurrentUser('users-manage', $id);
$validated = $this->validate($request, [ $validated = $this->validate($request, [
'name' => ['min:2', 'max:100'], 'name' => ['min:2', 'max:100'],
@ -150,7 +148,7 @@ class UserController extends Controller
]); ]);
$user = $this->userRepo->getById($id); $user = $this->userRepo->getById($id);
$this->userRepo->update($user, $validated, userCan('users-manage')); $this->userRepo->update($user, $validated, true);
// Save profile image if in request // Save profile image if in request
if ($request->hasFile('profile_image')) { if ($request->hasFile('profile_image')) {
@ -168,9 +166,7 @@ class UserController extends Controller
$user->save(); $user->save();
} }
$redirectUrl = userCan('users-manage') ? '/settings/users' : "/settings/users/{$user->id}"; return redirect('/settings/users');
return redirect($redirectUrl);
} }
/** /**
@ -178,8 +174,7 @@ class UserController extends Controller
*/ */
public function delete(int $id) public function delete(int $id)
{ {
$this->preventGuestAccess(); $this->checkPermission('users-manage');
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id); $user = $this->userRepo->getById($id);
$this->setPageTitle(trans('settings.users_delete_named', ['userName' => $user->name])); $this->setPageTitle(trans('settings.users_delete_named', ['userName' => $user->name]));
@ -195,8 +190,7 @@ class UserController extends Controller
public function destroy(Request $request, int $id) public function destroy(Request $request, int $id)
{ {
$this->preventAccessInDemoMode(); $this->preventAccessInDemoMode();
$this->preventGuestAccess(); $this->checkPermission('users-manage');
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id); $user = $this->userRepo->getById($id);
$newOwnerId = intval($request->get('new_owner_id')) ?: null; $newOwnerId = intval($request->get('new_owner_id')) ?: null;

2
lang/en/settings.php
View File

@ -193,7 +193,7 @@ return [
'users_send_invite_text' => 'You can choose to send this user an invitation email which allows them to set their own password otherwise you can set their password yourself.', 'users_send_invite_text' => 'You can choose to send this user an invitation email which allows them to set their own password otherwise you can set their password yourself.',
'users_send_invite_option' => 'Send user invite email', 'users_send_invite_option' => 'Send user invite email',
'users_external_auth_id' => 'External Authentication ID', 'users_external_auth_id' => 'External Authentication ID',
'users_external_auth_id_desc' => 'This is the ID used to match this user when communicating with your external authentication system.', 'users_external_auth_id_desc' => 'When an external authentication system is in use (such as SAML2, OIDC or LDAP) this is the ID which links this BookStack user to the authentication system account. You can ignore this field if using the default email-based authentication.',
'users_password_warning' => 'Only fill the below if you would like to change the password for this user.', 'users_password_warning' => 'Only fill the below if you would like to change the password for this user.',
'users_system_public' => 'This user represents any guest users that visit your instance. It cannot be used to log in but is assigned automatically.', 'users_system_public' => 'This user represents any guest users that visit your instance. It cannot be used to log in but is assigned automatically.',
'users_delete' => 'Delete User', 'users_delete' => 'Delete User',

4
resources/views/users/edit.blade.php
View File

@ -38,7 +38,7 @@
</div> </div>
<div class="text-right"> <div class="text-right">
<a href="{{ url(userCan('users-manage') ? "/settings/users" : "/") }}" <a href="{{ url("/settings/users") }}"
class="button outline">{{ trans('common.cancel') }}</a> class="button outline">{{ trans('common.cancel') }}</a>
@if($authMethod !== 'system') @if($authMethod !== 'system')
<a href="{{ url("/settings/users/{$user->id}/delete") }}" <a href="{{ url("/settings/users/{$user->id}/delete") }}"
@ -100,9 +100,7 @@
</section> </section>
@endif @endif
@if((user()->id === $user->id && userCan('access-api')) || userCan('users-manage'))
@include('users.api-tokens.parts.list', ['user' => $user]) @include('users.api-tokens.parts.list', ['user' => $user])
@endif
</div> </div>
@stop @stop

19
resources/views/users/parts/form.blade.php
View File

@ -11,7 +11,7 @@
@if($authMethod === 'ldap' || $authMethod === 'system') @if($authMethod === 'ldap' || $authMethod === 'system')
<p class="small">{{ trans('settings.users_details_desc_no_email') }}</p> <p class="small">{{ trans('settings.users_details_desc_no_email') }}</p>
@endif @endif
<div class="grid half mt-m gap-xl"> <div class="grid half mt-m gap-xl mb-l">
<div> <div>
<label for="name">{{ trans('auth.name') }}</label> <label for="name">{{ trans('auth.name') }}</label>
@include('form.text', ['name' => 'name']) @include('form.text', ['name' => 'name'])
@ -23,21 +23,19 @@
@endif @endif
</div> </div>
</div> </div>
</div>
@if(in_array($authMethod, ['ldap', 'saml2', 'oidc']) && userCan('users-manage'))
<div class="grid half gap-xl v-center">
<div> <div>
<label class="setting-list-label">{{ trans('settings.users_external_auth_id') }}</label> <div class="form-group collapsible mb-none" component="collapsible" id="external-auth-field">
<button refs="collapsible@trigger" type="button" class="collapse-title text-link" aria-expanded="false">
<label for="external-auth">{{ trans('settings.users_external_auth_id') }}</label>
</button>
<div refs="collapsible@content" class="collapse-content stretch-inputs">
<p class="small">{{ trans('settings.users_external_auth_id_desc') }}</p> <p class="small">{{ trans('settings.users_external_auth_id_desc') }}</p>
</div>
<div>
@include('form.text', ['name' => 'external_auth_id']) @include('form.text', ['name' => 'external_auth_id'])
</div> </div>
</div> </div>
@endif </div>
</div>
@if(userCan('users-manage'))
<div> <div>
<label for="role" class="setting-list-label">{{ trans('settings.users_role') }}</label> <label for="role" class="setting-list-label">{{ trans('settings.users_role') }}</label>
<p class="small">{{ trans('settings.users_role_desc') }}</p> <p class="small">{{ trans('settings.users_role_desc') }}</p>
@ -45,7 +43,6 @@
@include('form.role-checkboxes', ['name' => 'roles', 'roles' => $roles]) @include('form.role-checkboxes', ['name' => 'roles', 'roles' => $roles])
</div> </div>
</div> </div>
@endif
@if($authMethod === 'standard') @if($authMethod === 'standard')
<div component="new-user-password"> <div component="new-user-password">