You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Currently the user-edit fields in the User-Info UI (= Edit username, user-email and password) are saved by calling the API function updateUser in UserController. Since this API function also allows for changing Roles associated with the User it is only callable for Users with the privilege USER_EDIT_ALL (usually Admins). Therefore changing the password or other info for the logged in user this way leads to an error.
Describe the solution you'd like
Create a new API function for only changing the password, username and email. This might imply also splitting up the current UserService function for this purpose. Change the User-Info UI to call this function when User-Details are changed (i.e. the save-button which performs a submit). The API function should only be callable if the logged in user has USER_EDIT_ALL or if the callable user has USER_EDIT and wants to edit themselves:
@PreAuthorize(value = "hasGlobalPermission(@PC.USER_EDIT_ALL) or (hasGlobalPermission(@PC.USER_EDIT) and #userId.equals(loggedInUUID()))")
Additional context
This issue impacts both the API and the UI, but there is no seperate API Issue (all handled in this issue).
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Currently the user-edit fields in the User-Info UI (= Edit username, user-email and password) are saved by calling the API function
updateUserinUserController. Since this API function also allows for changing Roles associated with the User it is only callable for Users with the privilegeUSER_EDIT_ALL(usually Admins). Therefore changing the password or other info for the logged in user this way leads to an error.Describe the solution you'd like
Create a new API function for only changing the password, username and email. This might imply also splitting up the current UserService function for this purpose. Change the User-Info UI to call this function when User-Details are changed (i.e. the save-button which performs a submit). The API function should only be callable if the logged in user has
USER_EDIT_ALLor if the callable user hasUSER_EDITand wants to edit themselves:@PreAuthorize(value = "hasGlobalPermission(@PC.USER_EDIT_ALL) or (hasGlobalPermission(@PC.USER_EDIT) and #userId.equals(loggedInUUID()))")Additional context
This issue impacts both the API and the UI, but there is no seperate API Issue (all handled in this issue).
The text was updated successfully, but these errors were encountered: