[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * @package         Joomla.Administrator
   5   * @subpackage      com_users
   6   *
   7   * @copyright   (C) 2021 Open Source Matters, Inc. <https://www.joomla.org>
   8   * @license         GNU General Public License version 2 or later; see LICENSE.txt
   9   */
  10  
  11  namespace Joomla\Component\Users\Administrator\Dispatcher;
  12  
  13  use Joomla\CMS\Dispatcher\ComponentDispatcher;
  14  
  15  // phpcs:disable PSR1.Files.SideEffects
  16  \defined('_JEXEC') or die;
  17  // phpcs:enable PSR1.Files.SideEffects
  18  
  19  /**
  20   * ComponentDispatcher class for com_users
  21   *
  22   * @since  4.0.0
  23   */
  24  class Dispatcher extends ComponentDispatcher
  25  {
  26      /**
  27       * Override checkAccess to allow users edit profile without having to have core.manager permission
  28       *
  29       * @return  void
  30       *
  31       * @since  4.0.0
  32       */
  33      protected function checkAccess()
  34      {
  35          $task         = $this->input->getCmd('task');
  36          $view         = $this->input->getCmd('view');
  37          $layout       = $this->input->getCmd('layout');
  38          $allowedTasks = ['user.edit', 'user.apply', 'user.save', 'user.cancel'];
  39  
  40          // Allow users to edit their own account
  41          if (in_array($task, $allowedTasks, true) || ($view === 'user' && $layout === 'edit')) {
  42              $user = $this->app->getIdentity();
  43              $id   = $this->input->getInt('id');
  44  
  45              if ((int) $user->id === $id) {
  46                  return;
  47              }
  48          }
  49  
  50          /**
  51           * Special case: Multi-factor Authentication
  52           *
  53           * We allow access to all MFA views and tasks. Access control for MFA tasks is performed in
  54           * the Controllers since what is allowed depends on who is logged in and whose account you
  55           * are trying to modify. Implementing these checks in the Dispatcher would violate the
  56           * separation of concerns.
  57           */
  58          $allowedViews  = ['callback', 'captive', 'method', 'methods'];
  59          $isAllowedTask = array_reduce(
  60              $allowedViews,
  61              function ($carry, $taskPrefix) use ($task) {
  62                  return $carry || strpos($task ?? '', $taskPrefix . '.') === 0;
  63              },
  64              false
  65          );
  66  
  67          if (in_array(strtolower($view ?? ''), $allowedViews) || $isAllowedTask) {
  68              return;
  69          }
  70  
  71          parent::checkAccess();
  72      }
  73  }