Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-24620

UpdateUser() does not works with selfedit policy

    XMLWordPrintable

Details

    Description

      If a user has the policy "user", "selfedit", the updateUser() function from the UserService will throw an Unauthorized exception.

      I believe the issue comes from this piece of code :

      eZ/Publish/Core/Repository/UserService.php
      public function updateUser( APIUser $user, UserUpdateStruct $userUpdateStruct )
{
    // [...]
    if ( !$this->repository->canUser( 'content', 'edit', $loadedUser ) )
            throw new UnauthorizedException( 'content', 'edit' );
    // [...]
}

      The updateUser function only checks if the user has access to "content" "edit".

      Steps to reproduce :
      1. Create a user with the "user" "selfedit" policy (but no "content" "edit" policy for users).
      2. From a controller try to edit the user's password using a userUpdateStruct.
      3. When calling $userService->updateUser($user, $userUpdateStruct); an unauthorized exception is thrown : User does not have access to "Content" "Edit".

      I hope the description is clear enough.
      Thanks.

      Attachments

        Activity

          People

            Unassigned Unassigned
            heyfara heyfara
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated: