User Settings should only be accessible to individual users or admini…

…strators
oqtane · Nov 27, 2024 · e786c35 · e786c35
1 parent ffea9e3
commit e786c35
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/Oqtane.Server/Controllers/SettingController.cs b/Oqtane.Server/Controllers/SettingController.cs
@@ -269,11 +269,7 @@ private bool IsAuthorized(string entityName, int entityId, string permissionName
                     authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, permissionName);
                     break;
                 case EntityNames.User:
-                    authorized = true;
-                    if (permissionName == PermissionNames.Edit)
-                    {
-                        authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId);
-                    }
+                    authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId);
                     break;
                 case EntityNames.Visitor:
                     authorized = User.IsInRole(RoleNames.Admin);
@@ -319,7 +315,7 @@ private bool FilterPrivate(string entityName, int entityId)
                     filter = !_userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, PermissionNames.Edit);
                     break;
                 case EntityNames.User:
-                    filter = !User.IsInRole(RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId;
+                    filter = !_userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId;
                     break;
                 case EntityNames.Visitor:
                     if (!User.IsInRole(RoleNames.Admin))