search

sonata-project / SonataUserBundle

Symfony SonataUserBundle
https://docs.sonata-project.org/projects/SonataUserBundle
MIT License
342 stars 487 forks source link

The profile link in `user_block.html.twig` is always displayed, even if user is not allowed to view the profile. #1591

Closed landure closed 1 year ago

landure commented 1 year ago

The profile link in user_block.html.twig is displayed, even if the user does not have 'VIEW' rights for the user profile.

This issue is linked to SonataAdminBundle #7995.

A fix for the issue is adding a if testing for the presence of VIEW and EDIT roles for app.user:

        <li class="user-footer">
            {% if is_granted('VIEW', app.user) or is_granted('EDIT', app.user) %}
                <div class="pull-left">
                    <a href="{{
                        sonata_user.userAdmin.isGranted('EDIT', app.user) ?
                            sonata_user.userAdmin.generateUrl('edit', {id: app.user.id}) :
                            sonata_user.userAdmin.generateUrl('show', {id: app.user.id})
                    }}" class="btn btn-default btn-flat">
                        <i class="fas fa-user"></i>
                        {{ 'user_block_profile'|trans({}, 'SonataUserBundle') }}
                    </a>
                </div>
            {% endif %}

            <div class="pull-right">
                <a href="{{ _logout_uri }}" class="btn btn-default btn-flat">
                    <i class="fas fa-sign-out-alt fa-fw"></i>
                    {{ _logout_text }}
                </a>
            </div>
        </li>

Environment

Sonata packages

show

``` $ composer show --latest 'sonata-project/*' sonata-project/block-bundle 4.19.0 4.19.0 Symfony SonataBlockBundle sonata-project/cache 2.2.0 2.2.0 Cache library Package sonata-project/cache is abandoned, you should avoid using it. No replacement was suggested. sonata-project/doctrine-extensions 2.0.1 2.1.0 Doctrine2 behavioral extensions sonata-project/exporter 3.0.0 3.1.1 Lightweight Exporter library sonata-project/form-extensions 1.18.0 1.18.0 Symfony form extensions sonata-project/twig-extensions 2.0.0 2.0.0 Sonata twig extensions ```

Symfony packages

show

``` $ composer show --latest 'symfony/*' Direct dependencies required in composer.json: symfony/asset v6.1.5 v6.2.0 Manages URL generation and versioning of web assets such as CSS stylesheets, JavaScript files and image files symfony/browser-kit v6.1.3 v6.2.0 Simulates the behavior of a web browser, allowing you to make requests, click on links and submit forms programmatically symfony/console v6.1.9 v6.2.3 Eases the creation of beautiful and testable command line interfaces symfony/css-selector v6.1.9 v6.2.3 Converts CSS selectors to XPath expressions symfony/debug-bundle v6.1.3 v6.2.1 Provides a tight integration of the Symfony VarDumper component and the ServerLogCommand from MonologBridge into the Symfony full-stack framework symfony/dependency-injection v6.1.9 v6.2.3 Allows you to standardize and centralize the way objects are constructed in your application symfony/doctrine-messenger v6.1.8 v6.2.0 Symfony Doctrine Messenger Bridge symfony/dotenv v6.1.0 v6.2.0 Registers environment variables from a .env file symfony/expression-language v6.1.6 v6.2.2 Provides an engine that can compile and evaluate expressions symfony/flex v2.2.4 v2.2.4 Composer plugin for Symfony symfony/form v6.1.9 v6.2.3 Allows to easily create, process and reuse HTML forms symfony/framework-bundle v6.1.9 v6.2.3 Provides a tight integration between Symfony components and the Symfony full-stack framework symfony/http-client v6.1.9 v6.2.2 Provides powerful methods to fetch HTTP resources synchronously or asynchronously symfony/intl v6.1.7 v6.2.0 Provides a PHP replacement layer for the C intl extension that includes additional data from the ICU library symfony/mailer v6.1.9 v6.2.2 Helps sending emails symfony/maker-bundle v1.48.0 v1.48.0 Symfony Maker helps you create empty commands, controllers, form classes, tests and more so you can forget about writing boilerplate code. symfony/mercure-bundle v0.3.5 v0.3.5 Symfony MercureBundle symfony/mime v6.1.9 v6.2.2 Allows manipulating MIME messages symfony/monolog-bundle v3.8.0 v3.8.0 Symfony MonologBundle symfony/notifier v6.1.0 v6.2.0 Sends notifications via one or more channels (email, SMS, ...) symfony/phpunit-bridge v6.2.3 v6.2.3 Provides utilities for PHPUnit, especially user deprecation notices management symfony/process v6.1.3 v6.2.0 Executes commands in sub-processes symfony/property-access v6.1.7 v6.2.3 Provides functions to read and write from/to an object or array using a simple string notation symfony/property-info v6.1.9 v6.2.3 Extracts information about PHP class' properties using metadata of popular sources symfony/proxy-manager-bridge v6.1.0 v6.2.0 Provides integration for ProxyManager with various Symfony components symfony/runtime v6.1.3 v6.2.0 Enables decoupling PHP applications from global state symfony/security-bundle v6.1.9 v6.2.3 Provides a tight integration of the Security component into the Symfony full-stack framework symfony/serializer v6.1.9 v6.2.3 Handles serializing and deserializing data structures, including object graphs, into array structures or other formats like XML and JSON. symfony/stopwatch v6.1.5 v6.2.0 Provides a way to profile code symfony/string v6.1.9 v6.2.2 Provides an object-oriented API to strings and deals with bytes, UTF-8 code points and grapheme clusters in a unified way symfony/templating v6.1.3 v6.2.0 Provides all the tools needed to build any kind of template system symfony/translation v6.1.6 v6.2.3 Provides tools to internationalize your application symfony/twig-bundle v6.1.9 v6.2.3 Provides a tight integration of Twig into the Symfony full-stack framework symfony/ux-chartjs v2.6.1 v2.6.1 Chart.js integration for Symfony symfony/validator v6.1.9 v6.2.3 Provides tools to validate values symfony/web-link v6.1.0 v6.2.0 Manages links between resources symfony/web-profiler-bundle v6.1.9 v6.2.4 Provides a development tool that gives detailed information about the execution of any request symfony/webpack-encore-bundle v1.16.0 v1.16.0 Integration with your Symfony app & Webpack Encore! symfony/yaml v6.1.9 v6.2.2 Loads and dumps YAML files Transitive dependencies not required in composer.json: symfony/cache v6.1.10 v6.2.4 Provides extended PSR-6, PSR-16 (and tags) implementations symfony/cache-contracts v3.2.0 v3.2.0 Generic abstractions related to caching symfony/config v6.1.3 v6.2.0 Helps you find, load, combine, autofill and validate configuration values of any kind symfony/deprecation-contracts v3.2.0 v3.2.0 A generic function and convention to trigger deprecation notices symfony/doctrine-bridge v6.1.9 v6.2.3 Provides integration for Doctrine with various Symfony components symfony/dom-crawler v6.1.9 v6.2.3 Eases DOM navigation for HTML and XML documents symfony/error-handler v6.1.9 v6.2.3 Provides tools to manage errors and ease debugging PHP code symfony/event-dispatcher v6.1.9 v6.2.2 Provides tools that allow your application components to communicate with each other by dispatching events and listening to them symfony/event-dispatcher-contracts v3.2.0 v3.2.0 Generic abstractions related to dispatching event symfony/filesystem v6.1.5 v6.2.0 Provides basic utilities for the filesystem symfony/finder v6.1.9 v6.2.3 Finds files and directories via an intuitive fluent interface symfony/http-client-contracts v3.1.1 v3.1.1 Generic abstractions related to HTTP clients symfony/http-foundation v6.1.9 v6.2.2 Defines an object-oriented layer for the HTTP specification symfony/http-kernel v6.1.10 v6.2.4 Provides a structured process for converting a Request into a Response symfony/mercure v0.6.2 v0.6.2 Symfony Mercure Component symfony/messenger v6.1.9 v6.2.2 Helps applications send and receive messages to/from other applications or via message queues symfony/monolog-bridge v6.1.9 v6.2.2 Provides integration for Monolog with various Symfony components symfony/options-resolver v6.1.0 v6.2.0 Provides an improved replacement for the array_replace PHP function symfony/password-hasher v6.1.3 v6.2.0 Provides password hashing utilities symfony/polyfill-intl-grapheme v1.27.0 v1.27.0 Symfony polyfill for intl's grapheme_* functions symfony/polyfill-intl-icu v1.27.0 v1.27.0 Symfony polyfill for intl's ICU-related data and classes symfony/polyfill-intl-idn v1.27.0 v1.27.0 Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions symfony/polyfill-intl-normalizer v1.27.0 v1.27.0 Symfony polyfill for intl's Normalizer class and related functions symfony/polyfill-mbstring v1.27.0 v1.27.0 Symfony polyfill for the Mbstring extension symfony/routing v6.1.9 v6.2.3 Maps an HTTP request to a set of configuration variables symfony/security-acl v3.3.2 v3.3.2 Symfony Security Component - ACL (Access Control List) symfony/security-core v6.1.9 v6.2.2 Symfony Security Component - Core Library symfony/security-csrf v6.1.0 v6.2.0 Symfony Security Component - CSRF Library symfony/security-http v6.1.9 v6.2.2 Symfony Security Component - HTTP Integration symfony/service-contracts v3.2.0 v3.2.0 Generic abstractions related to writing services symfony/translation-contracts v3.2.0 v3.2.0 Generic abstractions related to translation symfony/twig-bridge v6.1.9 v6.2.3 Provides integration for Twig with various Symfony components symfony/var-dumper v6.1.9 v6.2.3 Provides mechanisms for walking through any arbitrary PHP variable symfony/var-exporter v6.1.9 v6.2.3 Allows exporting any serializable PHP data structure to plain PHP code ```

PHP version

$ php -v
PHP 8.1.2-1ubuntu2.9 (cli) (built: Oct 19 2022 14:58:09) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.2, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.2-1ubuntu2.9, Copyright (c), by Zend Technologies
    with Xdebug v3.1.2, Copyright (c) 2002-2021, by Derick Rethans
VincentLanglet commented 1 year ago

Can you provide a PR with a screenshot BEFORE/AFTER ? It will be easier for me to understand with screenshot since I don't use this bundle