Fix leak of private information when updating users

Fixes #1628.
This commit is contained in:
Franz Liedke 2018-11-09 11:39:20 +01:00
parent fad8ed335d
commit ebcc173496

View File

@ -12,6 +12,7 @@
namespace Flarum\Api\Controller;
use Flarum\Api\Serializer\CurrentUserSerializer;
use Flarum\Api\Serializer\UserSerializer;
use Flarum\User\Command\EditUser;
use Flarum\User\Exception\PermissionDeniedException;
use Illuminate\Contracts\Bus\Dispatcher;
@ -23,7 +24,7 @@ class UpdateUserController extends AbstractShowController
/**
* {@inheritdoc}
*/
public $serializer = CurrentUserSerializer::class;
public $serializer = UserSerializer::class;
/**
* {@inheritdoc}
@ -52,6 +53,10 @@ class UpdateUserController extends AbstractShowController
$actor = $request->getAttribute('actor');
$data = array_get($request->getParsedBody(), 'data', []);
if ($actor->id == $id) {
$this->serializer = CurrentUserSerializer::class;
}
// Require the user's current password if they are attempting to change
// their own email address.
if (isset($data['attributes']['email']) && $actor->id == $id) {