fix(authentication): Correctly checks settings before letting a user …

…change name or image. (serverpod#2771)
SandPod · Sep 24, 2024 · aeba3a8 · aeba3a8
1 parent 0133c99
commit aeba3a8
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/modules/serverpod_auth/serverpod_auth_server/lib/src/endpoints/user_endpoint.dart b/modules/serverpod_auth/serverpod_auth_server/lib/src/endpoints/user_endpoint.dart
@@ -17,19 +17,31 @@ class UserEndpoint extends Endpoint {
   /// Removes the users uploaded image, replacing it with the default user
   /// image.
   Future<bool> removeUserImage(Session session) async {
+    if (!AuthConfig.current.userCanEditUserImage) {
+      return false;
+    }
+
     var userId = (await session.authenticated)?.userId;
     return await UserImages.setDefaultUserImage(session, userId!);
   }
 
   /// Sets a new user image for the signed in user.
   Future<bool> setUserImage(Session session, ByteData image) async {
+    if (!AuthConfig.current.userCanEditUserImage) {
+      return false;
+    }
+
     var userId = (await session.authenticated)?.userId;
     return await UserImages.setUserImageFromBytes(
         session, userId!, image.buffer.asUint8List());
   }
 
   /// Changes the name of a user.
   Future<bool> changeUserName(Session session, String userName) async {
+    if (!AuthConfig.current.userCanEditUserName) {
+      return false;
+    }
+
     userName = userName.trim();
     if (userName == '') return false;
 
@@ -41,6 +53,10 @@ class UserEndpoint extends Endpoint {
 
   /// Changes the full name of a user.
   Future<bool> changeFullName(Session session, String fullName) async {
+    if (!AuthConfig.current.userCanEditFullName) {
+      return false;
+    }
+
     fullName = fullName.trim();
     if (fullName == '') return false;
 

diff --git a/tests/serverpod_test_server/lib/server.dart b/tests/serverpod_test_server/lib/server.dart
@@ -41,6 +41,7 @@ void run(List<String> args) async {
       print('Sending reset email to ${userInfo.email} with code $resetCode');
       return true;
     },
+    userCanEditFullName: true,
   ));
 
   // Add route to web server