diff --git a/app/Users/Controllers/UserController.php b/app/Users/Controllers/UserController.php
index 1c1b7ba23..0cd48948f 100644
--- a/app/Users/Controllers/UserController.php
+++ b/app/Users/Controllers/UserController.php
@@ -103,6 +103,7 @@ class UserController extends Controller
*/
public function edit(int $id, SocialAuthService $socialAuthService)
{
+ $this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id);
@@ -133,6 +134,7 @@ class UserController extends Controller
public function update(Request $request, int $id)
{
$this->preventAccessInDemoMode();
+ $this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$validated = $this->validate($request, [
@@ -176,6 +178,7 @@ class UserController extends Controller
*/
public function delete(int $id)
{
+ $this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id);
@@ -192,6 +195,7 @@ class UserController extends Controller
public function destroy(Request $request, int $id)
{
$this->preventAccessInDemoMode();
+ $this->preventGuestAccess();
$this->checkPermissionOrCurrentUser('users-manage', $id);
$user = $this->userRepo->getById($id);
diff --git a/tests/PublicActionTest.php b/tests/PublicActionTest.php
index 6f0e2f1d3..1e4dcbfb7 100644
--- a/tests/PublicActionTest.php
+++ b/tests/PublicActionTest.php
@@ -207,4 +207,16 @@ class PublicActionTest extends TestCase
$this->withHtml($resp)->assertLinkExists($page->getUrl('/edit'));
}
+
+ public function test_public_user_cannot_view_or_update_their_profile()
+ {
+ $this->setSettings(['app-public' => 'true']);
+ $guest = $this->users->guest();
+
+ $resp = $this->get($guest->getEditUrl());
+ $this->assertPermissionError($resp);
+
+ $resp = $this->put($guest->getEditUrl(), ['name' => 'My new guest name']);
+ $this->assertPermissionError($resp);
+ }
}