working on permissions and messages

user/src/main/java/de/srsoftware/umbrella/user/UserModule.java

@@ -86,10 +86,10 @@ public class UserModule extends PathHandler {
 		};
 		try {
 			long userId = Long.parseLong(head);
-			if (userId == user.id() || (user instanceof DbUser dbUser && dbUser.permissions().contains(LIST_USERS))) {
-				var requestedUser = users.load(userId);
-				return sendContent(ex,requestedUser);
+			if (!(user instanceof DbUser dbUser && (user.id() == userId || dbUser.permissions().contains(LIST_USERS)))) {
+				return sendEmptyResponse(HTTP_FORBIDDEN,ex);
 			}
+			return sendContent(ex,users.load(userId));
 		} catch (UmbrellaException e) {
 			return sendContent(ex,e.statusCode(),e.getMessage());
 		} catch (NumberFormatException ignored) {}
@@ -224,9 +224,7 @@ public class UserModule extends PathHandler {
 			if (!(requestingUser instanceof DbUser dbUser && dbUser.permissions().contains(PERMISSION.IMPERSONATE))) return sendEmptyResponse(HTTP_FORBIDDEN,ex);
 			if (targetId == null) return sendContent(ex,HTTP_UNPROCESSABLE,"user id missing");
 			var targetUser = users.load(targetId);
-			users.getSession(targetUser)
-					.cookie()
-					.addTo(ex.getResponseHeaders());
+			users.getSession(targetUser).cookie().addTo(ex);
 			return sendContent(ex,targetUser.toMap());
 		} catch (UmbrellaException e) {
 			return sendContent(ex,e.statusCode(),e.getMessage());
@@ -278,9 +276,7 @@ public class UserModule extends PathHandler {
 		var hashedPass = Password.of(BAD_HASHER.hash(password,null));
 		try {
 			var user = users.load(username, hashedPass);
-			users.getSession(user)
-					.cookie()
-					.addTo(ex.getResponseHeaders());
+			users.getSession(user).cookie().addTo(ex);
 			return sendContent(ex,user);
 		} catch (UmbrellaException ue){
 			return sendContent(ex,ue.statusCode(),ue.getMessage());