From e786c35f7d5d21b2458dc3dd9f422b327d158f12 Mon Sep 17 00:00:00 2001 From: sbwalker Date: Wed, 27 Nov 2024 13:04:06 -0500 Subject: [PATCH] User Settings should only be accessible to individual users or administrators --- Oqtane.Server/Controllers/SettingController.cs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/Oqtane.Server/Controllers/SettingController.cs b/Oqtane.Server/Controllers/SettingController.cs index d8a95cbe4..298b6b014 100644 --- a/Oqtane.Server/Controllers/SettingController.cs +++ b/Oqtane.Server/Controllers/SettingController.cs @@ -269,11 +269,7 @@ private bool IsAuthorized(string entityName, int entityId, string permissionName authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, permissionName); break; case EntityNames.User: - authorized = true; - if (permissionName == PermissionNames.Edit) - { - authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId); - } + authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId); break; case EntityNames.Visitor: authorized = User.IsInRole(RoleNames.Admin); @@ -319,7 +315,7 @@ private bool FilterPrivate(string entityName, int entityId) filter = !_userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, PermissionNames.Edit); break; case EntityNames.User: - filter = !User.IsInRole(RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId; + filter = !_userPermissions.IsAuthorized(User, _alias.SiteId, entityName, -1, PermissionNames.Write, RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId; break; case EntityNames.Visitor: if (!User.IsInRole(RoleNames.Admin))