bookstack/app/Users/Controllers/UserSearchController.php

<?php

namespace BookStack\Users\Controllers;

use BookStack\Http\Controller;
use BookStack\Users\Models\User;
use Illuminate\Http\Request;

class UserSearchController extends Controller
{
    /**
     * Search users in the system, with the response formatted
     * for use in a select-style list.
     */
    public function forSelect(Request $request)
    {
        $hasPermission = !user()->isGuest() && (
            userCan('users-manage')
                || userCan('restrictions-manage-own')
                || userCan('restrictions-manage-all')
        );

        if (!$hasPermission) {
            $this->showPermissionError();
        }

        $search = $request->get('search', '');
        $query = User::query()
            ->orderBy('name', 'asc')
            ->take(20);

        if (!empty($search)) {
            $query->where('name', 'like', '%' . $search . '%');
        }

        return view('form.user-select-list', [
            'users' => $query->get(),
        ]);
    }
}
Added user-select input 2021-01-01 01:25:20 +08:00			`<?php`

Played around with a new app structure 2023-05-18 00:56:55 +08:00			`namespace BookStack\Users\Controllers;`
Added user-select input 2021-01-01 01:25:20 +08:00
Cleaned up namespacing in routes Also moved home controller and moved controllers up a level in http. 2023-05-19 03:53:39 +08:00			`use BookStack\Http\Controller;`
Played around with a new app structure 2023-05-18 00:56:55 +08:00			`use BookStack\Users\Models\User;`
Added user-select input 2021-01-01 01:25:20 +08:00			`use Illuminate\Http\Request;`

			`class UserSearchController extends Controller`
			`{`
			`/**`
			`* Search users in the system, with the response formatted`
			`* for use in a select-style list.`
			`*/`
			`public function forSelect(Request $request)`
			`{`
Guest control: Cleaned methods involved in fetching/handling - Moves guest user caching from User class to app container for simplicity. - Updates test to use simpler $this->users->guest() method for consistency. - Streamlined helpers to avoid function overlap for simplicity. - Extracted user profile dropdown while doing changes. 2023-09-16 20:18:35 +08:00			`$hasPermission = !user()->isGuest() && (`
Applied latest StyleCI changes 2021-12-15 21:49:20 +08:00			`userCan('users-manage')`
Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-15 02:47:22 +08:00			`\|\| userCan('restrictions-manage-own')`
			`\|\| userCan('restrictions-manage-all')`
			`);`

			`if (!$hasPermission) {`
			`$this->showPermissionError();`
			`}`

Added user-select input 2021-01-01 01:25:20 +08:00			`$search = $request->get('search', '');`
Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-15 02:47:22 +08:00			`$query = User::query()`
			`->orderBy('name', 'asc')`
Added user-select input 2021-01-01 01:25:20 +08:00			`->take(20);`

			`if (!empty($search)) {`
Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-15 02:47:22 +08:00			`$query->where('name', 'like', '%' . $search . '%');`
Added user-select input 2021-01-01 01:25:20 +08:00			`}`

Addressed user detail harvesting issue Altered access & usage of the /search/users/select endpoint with the following changes: - Removed searching of email address to prevent email detail discovery via hunting via search queries. - Required the user to be logged in and have permission to manage users or manage permissions on items in some way. - Removed the user migration option on user delete unless they have permission to manage users. For #3108 Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/ Reported by @haxatron 2021-12-15 02:47:22 +08:00			`return view('form.user-select-list', [`
			`'users' => $query->get(),`
			`]);`
Added user-select input 2021-01-01 01:25:20 +08:00			`}`
			`}`