From 8ca66d09c75a685d5667cabfb11cae026ca4c771 Mon Sep 17 00:00:00 2001
From: coderkun <coderkun@users.noreply.github.com>
Date: Mon, 7 Apr 2014 23:10:44 +0200
Subject: [PATCH] correct permissions on user pages

---
 controllers/UsersController.inc | 6 ++++++
 views/html/users/user.tpl       | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/controllers/UsersController.inc b/controllers/UsersController.inc
index b1ee5f56..4ba97dab 100644
--- a/controllers/UsersController.inc
+++ b/controllers/UsersController.inc
@@ -67,6 +67,7 @@
 		 * Show a user and its details.
 		 * 
 		 * @throws	IdNotFoundException
+		 * @throws	AccessDeniedException
 		 * @param	string	$userUrl	URL-Username of an user
 		 */
 		public function user($userUrl)
@@ -74,6 +75,11 @@
 			// Get user
 			$user = $this->Users->getUserByUrl($userUrl);
 			
+			// Check permissions
+			if(count(array_intersect(array('admin','moderator'), \hhu\z\controllers\IntermediateController::$user['roles'])) == 0 && $user['id'] != IntermediateController::$user['id']) {
+				throw new \nre\exceptions\AccessDeniedException();
+			}
+			
 			// Get Characters
 			$characters = $this->Characters->getCharactersForUser($user['id']);
 			
diff --git a/views/html/users/user.tpl b/views/html/users/user.tpl
index 3a6ea526..e40d2fb0 100644
--- a/views/html/users/user.tpl
+++ b/views/html/users/user.tpl
@@ -1,9 +1,11 @@
 <h1><?=_('Users')?></h1>
 <h2><?=$user['username']?></h2>
+<?php if(count(array_intersect(array('admin','moderator'),\hhu\z\controllers\IntermediateController::$user['roles'])) > 0) : ?>
 <nav>
 	<li><a href="<?=$linker->link('edit', 3)?>"><?=_('Edit user')?></a></li>
 	<li><a href="<?=$linker->link('delete', 3)?>"><?=_('Delete user')?></a></li>
 </nav>
+<?php endif ?>
 <p>
 	<?=sprintf(_('registered on %s'), $dateFormatter->format(new \DateTime($user['created'])))?>
 </p>