diff --git a/src/Core/Tool/Authorizer/LayerAuthorizer.php b/src/Core/Tool/Authorizer/LayerAuthorizer.php index c318b5ea72..9ac22e8198 100644 --- a/src/Core/Tool/Authorizer/LayerAuthorizer.php +++ b/src/Core/Tool/Authorizer/LayerAuthorizer.php @@ -54,7 +54,7 @@ public function isAllowed(Entity $entity, $privilege) // If a post is active then *anyone* can view it. // Only an admin can view inactive layers or create/edit/update layers - if ($privilege === 'read' && $this->isLayerActive($entity)) { + if ($user->getId() and $privilege === 'read' && $this->isLayerActive($entity)) { return true; } diff --git a/src/Core/Tool/Authorizer/MediaAuthorizer.php b/src/Core/Tool/Authorizer/MediaAuthorizer.php index daab9db3df..976502807d 100644 --- a/src/Core/Tool/Authorizer/MediaAuthorizer.php +++ b/src/Core/Tool/Authorizer/MediaAuthorizer.php @@ -58,7 +58,11 @@ public function isAllowed(Entity $entity, $privilege) } // All users are allowed to view and create new media files. - if (in_array($privilege, ['read', 'create', 'search'])) { + if ($user->getId() and in_array($privilege, ['search'])) { + return true; + } + + if (in_array($privilege, ['read', 'create'])) { return true; } diff --git a/src/Core/Tool/Authorizer/RoleAuthorizer.php b/src/Core/Tool/Authorizer/RoleAuthorizer.php index 08a5965d7d..20b8a3da18 100644 --- a/src/Core/Tool/Authorizer/RoleAuthorizer.php +++ b/src/Core/Tool/Authorizer/RoleAuthorizer.php @@ -42,11 +42,11 @@ public function isAllowed(Entity $entity, $privilege) return true; } - if ($privilege === 'read') { + if ($user->getId() and $privilege === 'read') { return true; } // All users are allowed to search forms. - if ($privilege === 'search') { + if ($user->getId() and $privilege === 'search') { return true; } diff --git a/src/Core/Tool/Authorizer/TosAuthorizer.php b/src/Core/Tool/Authorizer/TosAuthorizer.php index bf100d476e..3d831b4e63 100644 --- a/src/Core/Tool/Authorizer/TosAuthorizer.php +++ b/src/Core/Tool/Authorizer/TosAuthorizer.php @@ -54,11 +54,11 @@ public function isAllowed(Entity $entity, $privilege) return false; } - if ($privilege === 'create') { + if ($user->getId() and $privilege === 'create') { return true; } - if ($privilege === 'search') { + if ($user->getId() and $privilege === 'search') { return true; } diff --git a/src/Core/Tool/Authorizer/UserAuthorizer.php b/src/Core/Tool/Authorizer/UserAuthorizer.php index ea617dde4e..e1558b9ff8 100644 --- a/src/Core/Tool/Authorizer/UserAuthorizer.php +++ b/src/Core/Tool/Authorizer/UserAuthorizer.php @@ -81,12 +81,7 @@ public function isAllowed(Entity $entity, $privilege) } // Regular user should be able to update and read_full only self - if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full'])) { - return true; - } - - // Regular user can always read - if (in_array($privilege, ['read', 'search'])) { + if ($this->isUserSelf($entity) && in_array($privilege, ['update', 'read_full', 'read'])) { return true; } diff --git a/tests/integration/users.feature b/tests/integration/users.feature index d1cdc0fc66..1d2da89595 100644 --- a/tests/integration/users.feature +++ b/tests/integration/users.feature @@ -158,21 +158,13 @@ Feature: Testing the Users API And the "email" property equals "robbie@ushahidi.com" Then the guzzle status code should be 200 - Scenario: Finding a User as anonymous user gives partial details + Scenario: Finding a User as anonymous user does not give details Given that I want to find a "User" And that its "id" is "1" And that the request "Authorization" header is "Bearer testanon" When I request "/users" + Then the guzzle status code should be 403 Then the response is JSON - And the response has a "id" property - And the type of the "id" property is "numeric" - And the response has a "realname" property - And the response does not have a "email" property - And the response does not have a "logins" property - And the response does not have a "failed_attempts" property - And the response does not have a "last_login" property - And the response does not have a "last_attempt" property - Then the guzzle status code should be 200 Scenario: Finding a non-existent user Given that I want to find a "User"