Fix critical issue with user settings

Author: driesvints

app/controllers/UsersController.php

@@ -30,11 +30,6 @@ public function getProfile($userName)
     {
         $user = $this->users->requireByName($userName);
 
-        // Make sure that the user which is updated is the one who is currently logged in.
-        if (Auth::user()->id !== $user->id) {
-            App::abort(403);
-        }
-
         $threads = $user->getLatestThreadsPaginated(5);
         $replies = $user->getLatestRepliesPaginated(5);
 
@@ -45,13 +40,23 @@ public function getSettings($userName)
     {
         $user = $this->users->requireByName($userName);
 
+        // Make sure that the user which is updated is the one who is currently logged in.
+        if (Auth::user()->id !== $user->id) {
+            App::abort(403);
+        }
+
         $this->view('users.settings', compact('user'));
     }
 
     public function putSettings($userName)
     {
         $user = $this->users->requireByName($userName);
 
+        // Make sure that the user which is updated is the one who is currently logged in.
+        if (Auth::user()->id !== $user->id) {
+            App::abort(403);
+        }
+
         return $this->updater->update($this, $user, Input::only('email'));
     }
 

app/views/users/_sidebar.blade.php

@@ -7,7 +7,7 @@
     <h1>{{ $user->name }}</h1>
     <p><a class="button" target="_blank" href="{{ $user->github_url }}">Visit GitHub Profile</a></p>
 
-    @if (Auth::check())
+    @if (Auth::check() && Auth::user()->email === $user->email)
         <p><a class="button" href="{{ route('user.settings', $user->name) }}">Edit Account Settings</a></p>
     @endif
 </div>