aboutsummaryrefslogtreecommitdiffstats
path: root/perllib/FixMyStreet/App/Controller
diff options
context:
space:
mode:
Diffstat (limited to 'perllib/FixMyStreet/App/Controller')
-rw-r--r--perllib/FixMyStreet/App/Controller/Admin.pm12
1 files changed, 9 insertions, 3 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm
index fbd855333..91af480a8 100644
--- a/perllib/FixMyStreet/App/Controller/Admin.pm
+++ b/perllib/FixMyStreet/App/Controller/Admin.pm
@@ -920,7 +920,7 @@ sub users: Path('users') : Args(0) {
my $search_n = 0;
$search_n = int($search) if $search =~ /^\d+$/;
- my $users = $c->model('DB::User')->search(
+ my $users = $c->cobrand->users->search(
{
-or => [
email => { ilike => $isearch },
@@ -952,7 +952,7 @@ sub users: Path('users') : Args(0) {
$c->forward('fetch_all_bodies');
# Admin users by default
- my $users = $c->model('DB::User')->search(
+ my $users = $c->cobrand->users->search(
{ from_body => { '!=', undef } },
{ order_by => 'name' }
);
@@ -1120,7 +1120,13 @@ sub user_edit : Path('user_edit') : Args(1) {
$c->forward('/auth/get_csrf_token');
- my $user = $c->model('DB::User')->find( { id => $id } );
+ my $user = $c->cobrand->users->find( { id => $id } );
+ $c->detach( '/page_error_404_not_found' ) unless $user;
+
+ unless ( $c->user->is_superuser || ( $c->user->has_permission_to('user_edit', $c->user->from_body->id) ) ) {
+ $c->detach('/page_error_403_access_denied', []);
+ }
+
$c->stash->{user} = $user;
$c->forward('fetch_all_bodies');
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-26 22:10:38 +0000