Merge pull request #4878 from sbwalker/dev

User Settings should only be accessible to individual users or administrators

Oqtane.Server/Controllers/SettingController.cs

@@ -269,11 +269,7 @@ private bool IsAuthorized(string entityName, int entityId, string permissionName
                     authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, permissionName);
                     break;
                 case EntityNames.User:
-                    authorized = true;
-                    if (permissionName == PermissionNames.Edit)
-                    {
-                        authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId);
-                    }
+                    authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId);
                     break;
                 case EntityNames.Visitor:
                     authorized = User.IsInRole(RoleNames.Admin);
@@ -319,7 +315,7 @@ private bool FilterPrivate(string entityName, int entityId)
                     filter = !_userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, PermissionNames.Edit);
                     break;
                 case EntityNames.User:
-                    filter = !User.IsInRole(RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId;
+                    filter = !_userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId;
                     break;
                 case EntityNames.Visitor:
                     if (!User.IsInRole(RoleNames.Admin))