Merge pull request #2477 from ushahidi/fix/permisions

Fix/permisions

src/Core/Tool/Authorizer/LayerAuthorizer.php

@@ -54,7 +54,7 @@ public function isAllowed(Entity $entity, $privilege)
 
 		// If a post is active then *anyone* can view it.
 		// Only an admin can view inactive layers or create/edit/update layers
-		if ($privilege === 'read' && $this->isLayerActive($entity)) {
+		if ($user->getId() and $privilege === 'read' && $this->isLayerActive($entity)) {
 			return true;
 		}
 

src/Core/Tool/Authorizer/MediaAuthorizer.php

@@ -58,7 +58,11 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// All users are allowed to view and create new media files.
-		if (in_array($privilege, ['read', 'create', 'search'])) {
+		if ($user->getId() and in_array($privilege, ['search'])) {
+			return true;
+		}
+
+		if (in_array($privilege, ['read', 'create'])) {
 			return true;
 		}
 

src/Core/Tool/Authorizer/RoleAuthorizer.php

@@ -42,11 +42,11 @@ public function isAllowed(Entity $entity, $privilege)
 			return true;
 		}
 
-        if ($privilege === 'read') {
+        if ($user->getId() and $privilege === 'read') {
             return true;
         }
         // All users are allowed to search forms.
-        if ($privilege === 'search') {
+        if ($user->getId() and $privilege === 'search') {
             return true;
         }
 

src/Core/Tool/Authorizer/TosAuthorizer.php

@@ -54,11 +54,11 @@ public function isAllowed(Entity $entity, $privilege)
             return false;
         }
 
-        if ($privilege === 'create') {
+        if ($user->getId() and $privilege === 'create') {
             return true;
         }
 
-        if ($privilege === 'search') {
+        if ($user->getId() and $privilege === 'search') {
             return true;
         }
 

src/Core/Tool/Authorizer/UserAuthorizer.php

@@ -81,12 +81,7 @@ public function isAllowed(Entity $entity, $privilege)
 		}
 
 		// Regular user should be able to update and read_full only self
-		if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full'])) {
-			return true;
-		}
-
-		// Regular user can always read
-		if (in_array($privilege, ['read', 'search'])) {
+		if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full', 'read'])) {
 			return true;
 		}
 

tests/integration/users.feature

@@ -158,21 +158,13 @@ Feature: Testing the Users API
 		And the "email" property equals "[email protected]"
 		Then the guzzle status code should be 200
 
-	Scenario: Finding a User as anonymous user gives partial details
+	Scenario: Finding a User as anonymous user does not give details
 		Given that I want to find a "User"
 		And that its "id" is "1"
 		And that the request "Authorization" header is "Bearer testanon"
 		When I request "/users"
+		Then the guzzle status code should be 403
 		Then the response is JSON
-		And the response has a "id" property
-		And the type of the "id" property is "numeric"
-		And the response has a "realname" property
-		And the response does not have a "email" property
-		And the response does not have a "logins" property
-		And the response does not have a "failed_attempts" property
-		And the response does not have a "last_login" property
-		And the response does not have a "last_attempt" property
-		Then the guzzle status code should be 200
 
 	Scenario: Finding a non-existent user
 		Given that I want to find a "User"