fix(user-editor): enforce standard user permission

I was mistaken in believing that users should be able to edit their own user properties. We still want to check the appropriate permissions for that. refs #298

fix(user-editor): enforce standard user permission
4468eed5 · Konrad Mohrfeldt · 0cbd37b7 · 4468eed5
Commit 4468eed5 authored 8 months ago by Konrad Mohrfeldt
--- a/src/components/identities/AUserEditor.vue
+++ b/src/components/identities/AUserEditor.vue
 <template>
  <FormTable>
-    <FormGroup v-slot="attrs" :label="t('user.fields.username')" :edit-permissions="editPermission">
+    <FormGroup
+      v-slot="attrs"
+      :label="t('user.fields.username')"
+      edit-permissions="auth.change_user"
+    >
      <input v-model="user.username" required v-bind="attrs" disabled />
    </FormGroup>

@@ -9,7 +13,7 @@
      :label="t('user.fields.firstName')"
      :errors="firstName.errors"
      :is-saving="firstName.isSaving"
-      :edit-permissions="editPermission"
+      edit-permissions="auth.change_user"
    >
      <input v-model="firstName.value" required v-bind="attrs" @blur="firstName.save()" />
    </FormGroup>
@@ -19,7 +23,7 @@
      :label="t('user.fields.lastName')"
      :errors="lastName.errors"
      :is-saving="lastName.isSaving"
-      :edit-permissions="editPermission"
+      edit-permissions="auth.change_user"
    >
      <input v-model="lastName.value" required v-bind="attrs" @blur="lastName.save()" />
    </FormGroup>
@@ -29,7 +33,7 @@
      :label="t('user.fields.email')"
      :errors="email.errors"
      :is-saving="email.isSaving"
-      :edit-permissions="editPermission"
+      edit-permissions="auth.change_user"
    >
      <input v-model="email.value" type="email" required v-bind="attrs" @blur="email.save()" />
    </FormGroup>
@@ -38,7 +42,7 @@
      v-slot="{ disabled }"
      :errors="cba.errors"
      :is-saving="cba.isSaving"
-      :edit-permissions="editPermission"
+      :edit-permissions="['program.add_cba', 'program.change_cba']"
      label="CBA"
      custom-control
    >
@@ -51,7 +55,7 @@
 import { computed } from 'vue'
 import { useAPIObjectFieldCopy } from '@/form'
 import { useI18n } from '@/i18n'
-import { SteeringUser, useAuthStore, useUserStore } from '@/stores/auth'
+import { SteeringUser, useUserStore } from '@/stores/auth'

 import FormTable from '@/components/generic/FormTable.vue'
 import FormGroup from '@/components/generic/FormGroup.vue'
@@ -62,15 +66,8 @@ const props = defineProps<{
 }>()

 const { t } = useI18n()
-const authStore = useAuthStore()
 const userStore = useUserStore()
 const user = computed(() => props.user)
-const editPermission = computed(() =>
-  // This is a hack to simplify our editing logic
-  // All users have the change_user permission, because everyone should be able to edit their own account.
-  // However, only admins can edit accounts other than their own. We don’t have a permission for that yet.
-  user.value.id === authStore.steeringUser?.id ? undefined : '__off__',
-)

 const firstName = useAPIObjectFieldCopy(userStore, user, 'firstName', { debounce: 2 })
 const lastName = useAPIObjectFieldCopy(userStore, user, 'lastName', { debounce: 2 })