[FEATURE] add "Profile update not authorized" error message

if the user attempt to delete the profile picture of a different user

Resolves: in2code-de/femanager/issues#667

Author: sebastianstein

Classes/Controller/UserController.php

@@ -15,6 +15,7 @@
 use Psr\Http\Message\ResponseInterface;
 use TYPO3\CMS\Core\Error\Http\UnauthorizedException;
 use TYPO3\CMS\Core\Http\RedirectResponse;
+use TYPO3\CMS\Core\Type\ContextualFeedbackSeverity;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Extbase\Persistence\ObjectStorage;
 
@@ -53,14 +54,20 @@ public function showAction(?User $user = null): ResponseInterface
      */
     public function imageDeleteAction(User $user): ResponseInterface
     {
-        if (UserUtility::getCurrentUser()->getUid() !== $user->getUid()) {
-            throw new UnauthorizedException('You are not allowed to delete this image', 1516373759972);
+        $currentUser = UserUtility::getCurrentUser();
+        if ($currentUser && $currentUser->getUid() === $user->getUid()) {
+            $user->setImage(GeneralUtility::makeInstance(ObjectStorage::class));
+            $this->userRepository->update($user);
+            $this->logUtility->log(Log::STATUS_PROFILEUPDATEIMAGEDELETE, $user);
+            $this->addFlashMessage(LocalizationUtility::translateByState(Log::STATUS_PROFILEUPDATEIMAGEDELETE));
+        } else {
+            $this->logUtility->log(Log::STATUS_PROFILEUPDATENOTAUTHORIZED, $user);
+            $this->addFlashMessage(
+                LocalizationUtility::translateByState(Log::STATUS_PROFILEUPDATENOTAUTHORIZED),
+                '',
+                ContextualFeedbackSeverity::ERROR);
         }
 
-        $user->setImage(GeneralUtility::makeInstance(ObjectStorage::class));
-        $this->userRepository->update($user);
-        $this->logUtility->log(Log::STATUS_PROFILEUPDATEIMAGEDELETE, $user);
-        $this->addFlashMessage(LocalizationUtility::translateByState(Log::STATUS_PROFILEUPDATEIMAGEDELETE));
         return $this->redirectToUri(FrontendUtility::getUriToCurrentPage());
     }
 

Classes/Domain/Model/Log.php

@@ -37,6 +37,8 @@ class Log extends AbstractEntity
 
     final public const STATUS_PROFILEUPDATEATTEMPTEDSPOOF = 207;
 
+    final public const STATUS_PROFILEUPDATENOTAUTHORIZED = 208;
+
     final public const STATUS_PROFILEDELETE = 301;
 
     final public const STATUS_INVITATIONPROFILECREATED = 401;

Resources/Private/Language/locallang.xlf

@@ -165,6 +165,9 @@
 			<trans-unit id="tx_femanager_domain_model_log.state.207">
 				<source>Attempted to spoof profile</source>
 			</trans-unit>
+			<trans-unit id="tx_femanager_domain_model_log.state.208">
+				<source>Profile update not authorized</source>
+			</trans-unit>
 			<trans-unit id="tx_femanager_domain_model_log.state.300">
 				<source>Delete</source>
 			</trans-unit>

Resources/Private/Language/locallang_db.xlf

@@ -177,6 +177,9 @@
 			<trans-unit id="tx_femanager_domain_model_log.state.207">
 				<source>Attempted to spoof profile</source>
 			</trans-unit>
+			<trans-unit id="tx_femanager_domain_model_log.state.208">
+				<source>Profile update not authorized</source>
+			</trans-unit>
 			<trans-unit id="tx_femanager_domain_model_log.state.300">
 				<source>Delete</source>
 			</trans-unit>