- let params: any;
- if (linkAccountData.type === LinkAccountType.ACCESS_OTHER_ACCOUNT || linkAccountData.type === LinkAccountType.ACCESS_OTHER_REMOTE_ACCOUNT) {
- params = {
- originatingUser: OriginatingUser.USER_TO_LINK,
- targetUser: curUserResource,
- targetUserToken: curToken,
- userToLink: savedUserResource,
- userToLinkToken: linkAccountData.token
- };
- }
- else if (linkAccountData.type === LinkAccountType.ADD_OTHER_LOGIN || linkAccountData.type === LinkAccountType.ADD_LOCAL_TO_REMOTE) {
- params = {
- originatingUser: OriginatingUser.TARGET_USER,
- targetUser: savedUserResource,
- targetUserToken: linkAccountData.token,
- userToLink: curUserResource,
- userToLinkToken: curToken
- };
- }
- else {
- // This should never really happen, but just in case, switch to the user that
- // originated the linking operation (i.e. the user saved in session data)
- dispatch(switchUser(savedUserResource, linkAccountData.token));
- services.linkAccountService.removeAccountToLink();
- dispatch(linkAccountPanelActions.LINK_INIT({targetUser:savedUserResource}));
- }
+ // Use the token of the user we are getting data for. This avoids any admin/non-admin permissions
+ // issues since a user will always be able to query the api server for their own user data.
+ setAuthorizationHeader(services, linkAccountData.token);
+ const savedUserResource = await services.userService.get(linkAccountData.userUuid);
+ setAuthorizationHeader(services, curToken);
+
+ let params: any;
+ if (linkAccountData.type === LinkAccountType.ACCESS_OTHER_ACCOUNT || linkAccountData.type === LinkAccountType.ACCESS_OTHER_REMOTE_ACCOUNT) {
+ params = {
+ originatingUser: OriginatingUser.USER_TO_LINK,
+ targetUser: curUserResource,
+ targetUserToken: curToken,
+ userToLink: savedUserResource,
+ userToLinkToken: linkAccountData.token
+ };
+ }
+ else if (linkAccountData.type === LinkAccountType.ADD_OTHER_LOGIN || linkAccountData.type === LinkAccountType.ADD_LOCAL_TO_REMOTE) {
+ params = {
+ originatingUser: OriginatingUser.TARGET_USER,
+ targetUser: savedUserResource,
+ targetUserToken: linkAccountData.token,
+ userToLink: curUserResource,
+ userToLinkToken: curToken
+ };
+ }
+ else {
+ throw new Error("Unknown link account type");
+ }