From aeba3a8d126a2f4eb814bbb772ae71f9a36fa237 Mon Sep 17 00:00:00 2001
From: Viktor Lidholt <viktorlidholt@gmail.com>
Date: Tue, 24 Sep 2024 09:40:16 +0200
Subject: [PATCH] fix(authentication): Correctly checks settings before letting
 a user change name or image. (#2771)

---
 .../lib/src/endpoints/user_endpoint.dart         | 16 ++++++++++++++++
 tests/serverpod_test_server/lib/server.dart      |  1 +
 2 files changed, 17 insertions(+)

diff --git a/modules/serverpod_auth/serverpod_auth_server/lib/src/endpoints/user_endpoint.dart b/modules/serverpod_auth/serverpod_auth_server/lib/src/endpoints/user_endpoint.dart
index 39685e211c..312d35cb33 100644
--- a/modules/serverpod_auth/serverpod_auth_server/lib/src/endpoints/user_endpoint.dart
+++ b/modules/serverpod_auth/serverpod_auth_server/lib/src/endpoints/user_endpoint.dart
@@ -17,12 +17,20 @@ class UserEndpoint extends Endpoint {
   /// Removes the users uploaded image, replacing it with the default user
   /// image.
   Future<bool> removeUserImage(Session session) async {
+    if (!AuthConfig.current.userCanEditUserImage) {
+      return false;
+    }
+
     var userId = (await session.authenticated)?.userId;
     return await UserImages.setDefaultUserImage(session, userId!);
   }
 
   /// Sets a new user image for the signed in user.
   Future<bool> setUserImage(Session session, ByteData image) async {
+    if (!AuthConfig.current.userCanEditUserImage) {
+      return false;
+    }
+
     var userId = (await session.authenticated)?.userId;
     return await UserImages.setUserImageFromBytes(
         session, userId!, image.buffer.asUint8List());
@@ -30,6 +38,10 @@ class UserEndpoint extends Endpoint {
 
   /// Changes the name of a user.
   Future<bool> changeUserName(Session session, String userName) async {
+    if (!AuthConfig.current.userCanEditUserName) {
+      return false;
+    }
+
     userName = userName.trim();
     if (userName == '') return false;
 
@@ -41,6 +53,10 @@ class UserEndpoint extends Endpoint {
 
   /// Changes the full name of a user.
   Future<bool> changeFullName(Session session, String fullName) async {
+    if (!AuthConfig.current.userCanEditFullName) {
+      return false;
+    }
+
     fullName = fullName.trim();
     if (fullName == '') return false;
 
diff --git a/tests/serverpod_test_server/lib/server.dart b/tests/serverpod_test_server/lib/server.dart
index 60f3b66f0c..ae17bce1d4 100644
--- a/tests/serverpod_test_server/lib/server.dart
+++ b/tests/serverpod_test_server/lib/server.dart
@@ -41,6 +41,7 @@ void run(List<String> args) async {
       print('Sending reset email to ${userInfo.email} with code $resetCode');
       return true;
     },
+    userCanEditFullName: true,
   ));
 
   // Add route to web server