From af121a5cbe654f7e040a00194e7a899ecf75aa94 Mon Sep 17 00:00:00 2001
From: oceanzus <case@oceanz.org>
Date: Mon, 29 Jun 2020 15:40:16 -0400
Subject: [PATCH] Updates scope rendering. (14783)

---
 ooiui/static/js/partials/UserEditForm.html    |  9 ++++--
 .../js/views/common/UserEditFormView.js       | 28 +++++++++++++++----
 ooiui/static/json/uiPatchNotes.json           |  7 +++++
 3 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/ooiui/static/js/partials/UserEditForm.html b/ooiui/static/js/partials/UserEditForm.html
index 64b2b15fb..1335c54f8 100644
--- a/ooiui/static/js/partials/UserEditForm.html
+++ b/ooiui/static/js/partials/UserEditForm.html
@@ -8,13 +8,16 @@ <h3>Profile</h3>
       <span class="help-block hidden"></span>
     </div>
   </div>
-  <div class="form-group" id="active_div">
+
+  <% if(isAdmin === true) { %>
+  <div class="form-group" id="active_div" hidden>
     <label class="col-sm-3 control-label">Account Enabled</label>
     <div class="col-sm-6">
       <input type="checkbox" class="form-control" id="active" name="active" style="box-shadow:inset 0 1px 1px rgba(255, 255, 255, 0.075);" />
       <span class="help-block hidden"></span>
     </div>
   </div>
+  <% } %>
 
   <hr width ="80%">
 
@@ -116,7 +119,8 @@ <h3>Profile</h3>
     <button type="button" id="refreshTokenButton" class="btn btn-success">Refresh API Token</button>
   </div>
 
-  <div id="scope_div">
+  <% if(isAdmin === true) { %>
+  <div id="scope_div" hidden>
     <h3> User Scopes </h3>
     <div class="form-group">
       <% scopes.each(function(scope) { %>
@@ -129,6 +133,7 @@ <h3> User Scopes </h3>
       <% }); %>
     </div>
   </div>
+  <% } %>
 
   <hr width="80%">
 
diff --git a/ooiui/static/js/views/common/UserEditFormView.js b/ooiui/static/js/views/common/UserEditFormView.js
index 000a76942..4fc86af3c 100644
--- a/ooiui/static/js/views/common/UserEditFormView.js
+++ b/ooiui/static/js/views/common/UserEditFormView.js
@@ -95,30 +95,46 @@ var UserEditFormView = Backbone.View.extend({
   },
   template: JST['ooiui/static/js/partials/UserEditForm.html'],
   render: function() {
-    this.$el.html(this.template({scopes: this.scopes}));
+    let self = this;
+    let isAdmin = false;
     // Only allow scope modification if
-    var userModel = new UserModel();
+    let userModel = new UserModel();
     userModel.url = '/api/current_user';
 
     userModel.fetch({
       success: function(collection, response, options) {
-        var scopes = response.scopes;
+        let scopes = response.scopes;
         self.userScopes = scopes;
 
-        if(scopes.includes('user_admin')){
+        if(scopes.includes('user_admin')) {
+          isAdmin = true;
+        }
+
+        // Check if the user is an admin and only render the scopes if so.
+        if (isAdmin === true) {
+          self.$el.html(self.template({scopes: self.scopes, isAdmin: isAdmin}));
+          self.$el.append(self.modalDialog.el);
+          self.stickit();
+        } else {
+          self.$el.html(self.template({scopes: [], isAdmin: isAdmin}));
+          self.$el.append(self.modalDialog.el);
+          self.stickit();
+        }
+
+        if(isAdmin === true){
           $("#scope_div").show();
           $("#active_div").show();
         } else {
           $("#scope_div").hide();
           $("#active_div").hide();
         }
+
       },
       error:function(collection, response, options) {
         console.log('Error getting user data');
       }
     });
 
-    this.$el.append(this.modalDialog.el);
-    this.stickit();
+
   }
 });
diff --git a/ooiui/static/json/uiPatchNotes.json b/ooiui/static/json/uiPatchNotes.json
index 43b5a80e5..823fdd799 100644
--- a/ooiui/static/json/uiPatchNotes.json
+++ b/ooiui/static/json/uiPatchNotes.json
@@ -1,4 +1,11 @@
 [
+  {
+        "VersionNumber": "1.9.2",
+        "VersionDate": "2020-06-29",
+        "VersionDescription": [
+            "Security: Fixes user profile scope rendering. (14783)"
+        ]
+  },
   {
         "VersionNumber": "1.9.1",
         "VersionDate": "2020-06-09",