3.4.0

kirby/src/Cms/Api.php

@@ -39,7 +39,8 @@ class Api extends BaseApi
 
         $this->kirby->setCurrentLanguage($this->language());
 
-        if ($user = $this->kirby->user()) {
+        $allowImpersonation = $this->kirby()->option('api.allowImpersonation', false);
+        if ($user = $this->kirby->user(null, $allowImpersonation)) {
             $this->kirby->setCurrentTranslation($user->language());
         }
 
@@ -95,8 +96,9 @@ class Api extends BaseApi
     public function file(string $path = null, string $filename)
     {
         $filename = urldecode($filename);
+        $file     = $this->parent($path)->file($filename);
 
-        if ($file = $this->parent($path)->file($filename)) {
+        if ($file && $file->isReadable() === true) {
             return $file;
         }
 
@@ -136,7 +138,7 @@ class Api extends BaseApi
                 $model = $kirby->site();
                 break;
             case 'account':
-                $model = $kirby->user();
+                $model = $kirby->user(null, $kirby->option('api.allowImpersonation', false));
                 break;
             case 'page':
                 $id    = str_replace(['+', ' '], '/', basename($path));
@@ -192,7 +194,7 @@ class Api extends BaseApi
         $id   = str_replace('+', '/', $id);
         $page = $this->kirby->page($id);
 
-        if ($page && $page->isReadable()) {
+        if ($page && $page->isReadable() === true) {
             return $page;
         }
 
@@ -242,7 +244,7 @@ class Api extends BaseApi
     {
         // get the authenticated user
         if ($id === null) {
-            return $this->kirby->auth()->user();
+            return $this->kirby->auth()->user(null, $this->kirby()->option('api.allowImpersonation', false));
         }
 
         // get a specific user by id