Hide users menu for non-admins (pull-request #284)

app/Model/Acl.php

@@ -34,7 +34,7 @@ class Acl extends Base
         'app' => array('index'),
         'board' => array('index', 'show', 'save', 'check', 'changeassignee', 'updateassignee', 'changecategory', 'updatecategory'),
         'project' => array('tasks', 'index', 'forbidden', 'search', 'export', 'show', 'activity'),
-        'user' => array('index', 'edit', 'forbidden', 'logout', 'index', 'show', 'external', 'unlinkgoogle', 'unlinkgithub', 'sessions', 'removesession', 'last', 'notifications', 'password'),
+        'user' => array('edit', 'forbidden', 'logout', 'show', 'external', 'unlinkgoogle', 'unlinkgithub', 'sessions', 'removesession', 'last', 'notifications', 'password'),
         'comment' => array('create', 'save', 'confirm', 'remove', 'update', 'edit', 'forbidden'),
         'file' => array('create', 'save', 'download', 'confirm', 'remove', 'open', 'image'),
         'subtask' => array('create', 'save', 'edit', 'update', 'confirm', 'remove'),

app/Templates/layout.php

@@ -56,10 +56,10 @@
                     <li <?= isset($menu) && $menu === 'projects' ? 'class="active"' : '' ?>>
                         <a href="?controller=project"><?= t('Projects') ?></a>
                     </li>
-                    <li <?= isset($menu) && $menu === 'users' ? 'class="active"' : '' ?>>
-                        <a href="?controller=user"><?= t('Users') ?></a>
-                    </li>
                     <?php if (Helper\is_admin()): ?>
+                        <li <?= isset($menu) && $menu === 'users' ? 'class="active"' : '' ?>>
+                            <a href="?controller=user"><?= t('Users') ?></a>
+                        </li>
                         <li class="hide-tablet <?= isset($menu) && $menu === 'config' ? 'active' : '' ?>">
                             <a href="?controller=config"><?= t('Settings') ?></a>
                         </li>

app/Templates/user_layout.php

@@ -1,12 +1,12 @@
 <section id="main">
     <div class="page-header">
         <h2><?= Helper\escape($user['name'] ?: $user['username']).' (#'.$user['id'].')' ?></h2>
+        <?php if (Helper\is_admin()): ?>
         <ul>
             <li><a href="?controller=user&amp;action=index"><?= t('All users') ?></a></li>
-            <?php if (Helper\is_admin()): ?>
-                <li><a href="?controller=user&amp;action=create"><?= t('New user') ?></a></li>
-            <?php endif ?>
+            <li><a href="?controller=user&amp;action=create"><?= t('New user') ?></a></li>
         </ul>
+        <?php endif ?>
     </div>
     <section class="user-show" id="user-section">
 

tests/units/AclTest.php

@@ -90,7 +90,7 @@ class AclTest extends Base
         $this->assertFalse($acl->isPageAccessAllowed('user', 'remove'));
         $this->assertFalse($acl->isPageAccessAllowed('user', 'confirm'));
         $this->assertTrue($acl->isPageAccessAllowed('app', 'index'));
-        $this->assertTrue($acl->isPageAccessAllowed('user', 'index'));
+        $this->assertFalse($acl->isPageAccessAllowed('user', 'index'));
         $this->assertTrue($acl->isPageAccessAllowed('user', 'login'));
         $this->assertTrue($acl->isPageAccessAllowed('user', 'check'));
         $this->assertTrue($acl->isPageAccessAllowed('webhook', 'task'));