agent foundation
This commit is contained in:
@@ -99,6 +99,7 @@ class UserAuthorizationPolicy implements AuthorizationPolicyInterface
|
||||
return $this->authorizeAdminUserWithPermission(PermissionService::USERS_CREATE, $context, false);
|
||||
}
|
||||
|
||||
// Returns the full capabilities map as attributes — the submit handler re-uses it to avoid recalculating.
|
||||
private function authorizeAdminUsersEditContext(array $context): AuthorizationDecision
|
||||
{
|
||||
return $this->buildEditContextDecision($context);
|
||||
@@ -309,6 +310,7 @@ class UserAuthorizationPolicy implements AuthorizationPolicyInterface
|
||||
return AuthorizationDecision::allow();
|
||||
}
|
||||
|
||||
// 404 instead of 403 — don't reveal that the resource exists outside the actor's scope.
|
||||
if (!$this->scopeGateway->canAccess('users', $targetUserId, $actorUserId)) {
|
||||
return AuthorizationDecision::deny(404, 'not_found');
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user