diff --git a/eZ/Publish/Core/Repository/UserService.php b/eZ/Publish/Core/Repository/UserService.php index 9ac7f8e129..32a6732db8 100644 --- a/eZ/Publish/Core/Repository/UserService.php +++ b/eZ/Publish/Core/Repository/UserService.php @@ -645,7 +645,9 @@ public function updateUser(APIUser $user, UserUpdateStruct $userUpdateStruct): A $contentService = $this->repository->getContentService(); - if (!$this->permissionResolver->canUser('content', 'edit', $loadedUser)) { + $canEditContent = $this->permissionResolver->canUser('content', 'edit', $loadedUser); + + if (!$canEditContent && $this->isUserProfileUpdateRequested($userUpdateStruct)) { throw new UnauthorizedException('content', 'edit'); } @@ -681,6 +683,13 @@ public function updateUser(APIUser $user, UserUpdateStruct $userUpdateStruct): A ); } + if (!empty($userUpdateStruct->password) && + !$canEditContent && + !$this->permissionResolver->canUser('user', 'password', $loadedUser) + ) { + throw new UnauthorizedException('user', 'password'); + } + $this->executeUserUpdate($loadedUser, $userUpdateStruct); return $this->loadUser($loadedUser->id); @@ -1351,6 +1360,23 @@ private function comparePasswordHashes( return $this->passwordHashService->isValidPassword($plainPassword, $passwordHash, $hashAlgorithm); } + /** + * Return true if any of the UserUpdateStruct properties refers to User Profile (Content) update. + * + * @param UserUpdateStruct $userUpdateStruct + * + * @return bool + */ + private function isUserProfileUpdateRequested(UserUpdateStruct $userUpdateStruct) + { + return + !empty($userUpdateStruct->contentUpdateStruct) || + !empty($userUpdateStruct->contentMetadataUpdateStruct) || + !empty($userUpdateStruct->email) || + !empty($userUpdateStruct->enabled) || + !empty($userUpdateStruct->maxLogin); + } + private function getDateTime(?int $timestamp): ?DateTimeInterface { if ($timestamp !== null) {