protected function model() { $mySelf = $this->session->user(); $user = $this->user; /** @var UserModel $user */ if ($this->editingSelf) { $id = $mySelf->idField(); $f = $user->findById($id); if (!$f) { throw new FatalException("User {$id} not found"); } } else { $myRole = $mySelf->roleField(); $id = $this->request->getAttribute("@id"); if ($id) { $f = $user->findById($id); if (!$f) { throw new FatalException("User {$id} not found"); } } if ($myRole < UserInterface::USER_ROLE_ADMIN && $mySelf->idField() != $user->idField()) { // Can't edit other users. throw new HttpException(403); } if ($user->roleField() > $myRole) { // Can't edit a user with a higher role. throw new HttpException(403); } } // Set a default role for a new user. if (!exists($user->roleField())) { $user->roleField($this->adminSettings->defaultRole()); } $login = ['id' => null, 'username' => $user->usernameField(), 'realName' => $user->realNameField(), 'password' => strlen($user->passwordField()) || $id ? self::DUMMY_PASS : '', 'active' => $user->activeField(), 'role' => $user->roleField()]; $this->modelController->setModel($login); }