Details
-
Bug
-
Resolution: Unresolved
-
High
-
None
-
5.4.0
Description
If a user has the policy "user", "selfedit", the updateUser() function from the UserService will throw an Unauthorized exception.
I believe the issue comes from this piece of code :
eZ/Publish/Core/Repository/UserService.php
public function updateUser( APIUser $user, UserUpdateStruct $userUpdateStruct ) { // [...] if ( !$this->repository->canUser( 'content', 'edit', $loadedUser ) ) throw new UnauthorizedException( 'content', 'edit' ); // [...] }
The updateUser function only checks if the user has access to "content" "edit".
Steps to reproduce :
1. Create a user with the "user" "selfedit" policy (but no "content" "edit" policy for users).
2. From a controller try to edit the user's password using a userUpdateStruct.
3. When calling $userService->updateUser($user, $userUpdateStruct); an unauthorized exception is thrown : User does not have access to "Content" "Edit".
I hope the description is clear enough.
Thanks.