Restrict user editing in admin

The 'user_edit' permission is required to edit users.

The admin pages on UK council cobrands only allow editing of users whose
from_body is the same as the logged-in user, or who have sent reports or updates
to the council.

1 files changed, 9 insertions, 3 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm
index fbd855333..91af480a8 100644
--- a/perllib/FixMyStreet/App/Controller/Admin.pm
+++ b/perllib/FixMyStreet/App/Controller/Admin.pm
@@ -920,7 +920,7 @@ sub users: Path('users') : Args(0) {
         my $search_n = 0;
         $search_n = int($search) if $search =~ /^\d+$/;
 
-        my $users = $c->model('DB::User')->search(
+        my $users = $c->cobrand->users->search(
             {
                 -or => [
                     email => { ilike => $isearch },
@@ -952,7 +952,7 @@ sub users: Path('users') : Args(0) {
         $c->forward('fetch_all_bodies');
 
         # Admin users by default
-        my $users = $c->model('DB::User')->search(
+        my $users = $c->cobrand->users->search(
             { from_body => { '!=', undef } },
             { order_by => 'name' }
         );
@@ -1120,7 +1120,13 @@ sub user_edit : Path('user_edit') : Args(1) {
 
     $c->forward('/auth/get_csrf_token');
 
-    my $user = $c->model('DB::User')->find( { id => $id } );
+    my $user = $c->cobrand->users->find( { id => $id } );
+    $c->detach( '/page_error_404_not_found' ) unless $user;
+
+    unless ( $c->user->is_superuser || ( $c->user->has_permission_to('user_edit', $c->user->from_body->id) ) ) {
+        $c->detach('/page_error_403_access_denied', []);
+    }
+
     $c->stash->{user} = $user;
 
     $c->forward('fetch_all_bodies');