bugfix

4 months ago · 6427eec0a7
1 changed files with 2 additions and 2 deletions
--- a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java
+++ b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java
@ -168,7 +168,7 @@ public class UserModule extends BaseHandler implements UserHelper {
				@@ -168,7 +168,7 @@ public class UserModule extends BaseHandler implements UserHelper {
 			long userId = Long.parseLong(head);
 			if (user.isEmpty()) return forbidden(ex);
 			if (!(user.get() instanceof DbUser dbUser)) return forbidden(ex);
-			if (dbUser.id() == userId || dbUser.permissions().contains(LIST_USERS)) return forbidden(ex);
+			if (!(dbUser.id() == userId || dbUser.permissions().contains(LIST_USERS))) return forbidden(ex);
 			return sendContent(ex,users.load(userId));
 		} catch (UmbrellaException e) {
 			return send(ex,e);
@ -196,7 +196,7 @@ public class UserModule extends BaseHandler implements UserHelper {
				@@ -196,7 +196,7 @@ public class UserModule extends BaseHandler implements UserHelper {
 			userId = Long.parseLong(head);
 			DbUser editedUser = (DbUser) users.load(userId);

-			if (!(requestingUser.get() instanceof DbUser dbUser) || !dbUser.permissions().contains(UPDATE_USERS)) return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name());
+			if (!(requestingUser.get() instanceof DbUser dbUser) || !(dbUser.id() == userId || dbUser.permissions().contains(UPDATE_USERS))) return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name());

 			JSONObject json;
 			try {