bug: Users can now acces their own information and change passwd

src/authm/AuthManager.cc

@@ -82,15 +82,20 @@ void AuthRequest::add_auth(Object        ob,
         gid == GroupPool::ONEADMIN_ID ||
 
         // User is the owner of the object, for certain operations
-        (   owner == uid &&
+        ( owner == uid &&
-            ( op == DELETE || op == USE || op == MANAGE ||
+           ( op == DELETE || op == USE || op == MANAGE ||
-              op == INFO   || op == INSTANTIATE )
+             op == INFO   || op == INSTANTIATE )
         ) ||
 
         // Object is public and user is in its group, for certain operations
-        (   pub && ( gid == ob_gid ) &&
+        ( pub && ( gid == ob_gid ) &&
-            (op == USE || op == INSTANTIATE || op == INFO ) &&
+           ( op == USE || op == INSTANTIATE || op == INFO ) &&
-            (ob == NET || ob == IMAGE || ob == TEMPLATE)
+           ( ob == NET || ob == IMAGE || ob == TEMPLATE)
+        ) ||
+
+        // User can show and MANAGE (change passwd) their own information
+        ( uid == ob_id_int && ob == USER &&
+           ( op == INFO || op == MANAGE )  
         )
     )
     {

src/rm/RequestManagerInfo.cc

@@ -28,11 +28,6 @@ void RequestManagerInfo::request_execute(xmlrpc_c::paramList const& paramList,
     PoolObjectSQL * object;
     string          str;
 
-    if ( basic_authorization(oid, att) == false )
-    {
-        return;
-    }
-
     if ( oid == -1 )
     {
         if ( auth_object == AuthRequest::USER )
@@ -45,6 +40,11 @@ void RequestManagerInfo::request_execute(xmlrpc_c::paramList const& paramList,
         }
     }
 
+    if ( basic_authorization(oid, att) == false )
+    {
+        return;
+    }
+
     object = pool->get(oid,true);
 
     if ( object == 0 )