List current logged-in HoO user as editable row in cms_users#817
Open
List current logged-in HoO user as editable row in cms_users#817
Conversation
pylipp
force-pushed
the
fix-hoo-user-editing-themselves
branch
2 times, most recently
from
8b05848 to
a3b5b2f
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the CMS user listing/editing flow to better support “Head of Operations” (HoO) users, specifically allowing HoO users to see and edit themselves while preventing accidental edit attempts on peer HoO accounts.
Changes:
- Add
preventeditflags to user list queries so rows can be made non-clickable when editing would be forbidden. - Adjust active users query logic to include the current HoO user as visible/clickable while keeping other HoO users non-clickable.
- Update
cms_users_edit.phpaccess logic to allow self-edit for HoO and add a guard to prevent downgrading the last HoO user.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| include/cms_users.php | Makes current HoO user visible/clickable in list; marks other same/upper-level rows as non-editable via preventedit. |
| include/cms_users_edit.php | Allows HoO self-edit, adds “last HoO cannot downgrade self” protection, and refines usergroup options filtering. |
| include/cms_users_expired.php | Adds preventedit field to list queries for consistent non-clickable behavior. |
| include/cms_users_deactivated.php | Adds preventedit field to list queries for consistent non-clickable behavior. |
Comment on lines
+141
to
147
| if (!$_SESSION['user']['is_admin'] | ||
| && $data | ||
| && $data['id'] != $_SESSION['user']['id'] | ||
| && ($data['is_admin'] | ||
| || $_SESSION['organisation']['id'] != $requesteduser['organisation_id'] | ||
| || $_SESSION['usergroup']['userlevel'] <= $requesteduser['userlevel'])) { | ||
| throw new Exception('You do not have access to this user!', 403); |
There was a problem hiding this comment.
This access check now guards on $data, but $data['cms_usergroups_id'] is still dereferenced earlier when building $requesteduser. If an invalid/non-existent id is requested, db_row() returns false and the earlier dereference will raise a PHP warning before this guard runs. Consider handling the “user not found” case immediately after loading $data (before using $data[...]).
- make user visible (non-gray) - only for HoO users - enable user editing themselves (no 403 error when clicking row)
… god Previously, when logged in as a HoO (same userlevel as Boxtribute God) and in organisation 1 (same organisation_id as Boxtribute God), it was possible to select "Boxtribute God" when editing a lower-level user.
pylipp
force-pushed
the
fix-hoo-user-editing-themselves
branch
from
a3b5b2f to
4b5c71a
Compare
pylipp
force-pushed
the
fix-hoo-user-editing-themselves
branch
from
4b5c71a to
dcf960c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://trello.com/c/9dyeV5VR