From 75c7526c4cf3c50e6208947039cbbdedae752eea Mon Sep 17 00:00:00 2001 From: Giuseppe Criscione <18699708+giuscris@users.noreply.github.com> Date: Sat, 27 Jun 2026 10:10:42 +0200 Subject: [PATCH] Enforce explicit actor-target checks for profile/password updates --- formwork/src/Users/User.php | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/formwork/src/Users/User.php b/formwork/src/Users/User.php index 3488503b5..137a184e7 100644 --- a/formwork/src/Users/User.php +++ b/formwork/src/Users/User.php @@ -191,7 +191,7 @@ public function isAdmin(): bool */ public function canDeleteUser(User $user): bool { - return $this->isAdmin() && !$user->isLoggedIn(); + return $this->isAdmin() && $this->username() !== $user->username(); } /** @@ -199,10 +199,7 @@ public function canDeleteUser(User $user): bool */ public function canChangeOptionsOf(User $user): bool { - if ($this->isAdmin()) { - return true; - } - return $user->isLoggedIn(); + return $this->isAdmin() || $this->username() === $user->username(); } /** @@ -210,7 +207,7 @@ public function canChangeOptionsOf(User $user): bool */ public function canChangePasswordOf(User $user): bool { - return $user->isLoggedIn(); + return $this->username() === $user->username(); } /** @@ -218,7 +215,7 @@ public function canChangePasswordOf(User $user): bool */ public function canChangeRoleOf(User $user): bool { - return $this->isAdmin() && !$user->isLoggedIn(); + return $this->isAdmin() && $this->username() !== $user->username(); } /**