mirror of
https://github.com/nextcloud/server.git
synced 2026-02-27 18:37:17 +01:00
Respect user enumeration settings on profile
Signed-off-by: Christopher Ng <chrng8@gmail.com>
This commit is contained in:
Christopher Ng
@@ -26,14 +26,17 @@ declare(strict_types=1);
|
||||
|
||||
namespace OC\Core\Controller;
|
||||
|
||||
use OC\KnownUser\KnownUserService;
|
||||
use OC\Profile\ProfileManager;
|
||||
use OCP\Accounts\IAccountManager;
|
||||
use OCP\AppFramework\Controller;
|
||||
use OCP\AppFramework\Http\TemplateResponse;
|
||||
use OCP\AppFramework\Services\IInitialState;
|
||||
use OCP\IGroupManager;
|
||||
use OCP\IRequest;
|
||||
use OCP\IUserManager;
|
||||
use OCP\IUserSession;
|
||||
use OC\Profile\ProfileManager;
|
||||
use OCP\Share\IManager as IShareManager;
|
||||
use OCP\UserStatus\IManager as IUserStatusManager;
|
||||
|
||||
class ProfilePageController extends Controller {
|
||||
@@ -48,6 +51,15 @@ class ProfilePageController extends Controller {
|
||||
/** @var ProfileManager */
|
||||
private $profileManager;
|
||||
|
||||
/** @var IShareManager */
|
||||
private $shareManager;
|
||||
|
||||
/** @var IGroupManager */
|
||||
private $groupManager;
|
||||
|
||||
/** @var KnownUserService */
|
||||
private $knownUserService;
|
||||
|
||||
/** @var IUserManager */
|
||||
private $userManager;
|
||||
|
||||
@@ -63,6 +75,9 @@ class ProfilePageController extends Controller {
|
||||
IInitialState $initialStateService,
|
||||
IAccountManager $accountManager,
|
||||
ProfileManager $profileManager,
|
||||
IShareManager $shareManager,
|
||||
IGroupManager $groupManager,
|
||||
KnownUserService $knownUserService,
|
||||
IUserManager $userManager,
|
||||
IUserSession $userSession,
|
||||
IUserStatusManager $userStatusManager
|
||||
@@ -71,6 +86,9 @@ class ProfilePageController extends Controller {
|
||||
$this->initialStateService = $initialStateService;
|
||||
$this->accountManager = $accountManager;
|
||||
$this->profileManager = $profileManager;
|
||||
$this->shareManager = $shareManager;
|
||||
$this->groupManager = $groupManager;
|
||||
$this->knownUserService = $knownUserService;
|
||||
$this->userManager = $userManager;
|
||||
$this->userSession = $userSession;
|
||||
$this->userStatusManager = $userStatusManager;
|
||||
@@ -83,13 +101,15 @@ class ProfilePageController extends Controller {
|
||||
* @NoSubAdminRequired
|
||||
*/
|
||||
public function index(string $targetUserId): TemplateResponse {
|
||||
$profileNotFoundTemplate = new TemplateResponse(
|
||||
'core',
|
||||
'404-profile',
|
||||
[],
|
||||
TemplateResponse::RENDER_AS_GUEST,
|
||||
);
|
||||
|
||||
if (!$this->userManager->userExists($targetUserId)) {
|
||||
return new TemplateResponse(
|
||||
'core',
|
||||
'404-profile',
|
||||
[],
|
||||
TemplateResponse::RENDER_AS_GUEST,
|
||||
);
|
||||
return $profileNotFoundTemplate;
|
||||
}
|
||||
|
||||
$visitingUser = $this->userSession->getUser();
|
||||
@@ -97,12 +117,37 @@ class ProfilePageController extends Controller {
|
||||
$targetAccount = $this->accountManager->getAccount($targetUser);
|
||||
|
||||
if (!$this->isProfileEnabled($targetAccount)) {
|
||||
return new TemplateResponse(
|
||||
'core',
|
||||
'404-profile',
|
||||
[],
|
||||
TemplateResponse::RENDER_AS_GUEST,
|
||||
);
|
||||
return $profileNotFoundTemplate;
|
||||
}
|
||||
|
||||
// Run user enumeration checks only if viewing another user's profile
|
||||
if ($targetUser !== $visitingUser) {
|
||||
if ($this->shareManager->allowEnumerationFullMatch()) {
|
||||
// Full id match is allowed
|
||||
} elseif (!$this->shareManager->allowEnumeration()) {
|
||||
return $profileNotFoundTemplate;
|
||||
} else {
|
||||
if ($this->shareManager->limitEnumerationToGroups() || $this->shareManager->limitEnumerationToPhone()) {
|
||||
$targerUserGroupIds = $this->groupManager->getUserGroupIds($targetUser);
|
||||
$visitingUserGroupIds = $this->groupManager->getUserGroupIds($visitingUser);
|
||||
if ($this->shareManager->limitEnumerationToGroups() && $this->shareManager->limitEnumerationToPhone()) {
|
||||
if (
|
||||
empty(array_intersect($targerUserGroupIds, $visitingUserGroupIds))
|
||||
&& !$this->knownUserService->isKnownToUser($targetUser->getUID(), $visitingUser->getUID())
|
||||
) {
|
||||
return $profileNotFoundTemplate;
|
||||
}
|
||||
} elseif ($this->shareManager->limitEnumerationToGroups()) {
|
||||
if (empty(array_intersect($targerUserGroupIds, $visitingUserGroupIds))) {
|
||||
return $profileNotFoundTemplate;
|
||||
}
|
||||
} elseif ($this->shareManager->limitEnumerationToPhone()) {
|
||||
if (!$this->knownUserService->isKnownToUser($targetUser->getUID(), $visitingUser->getUID())) {
|
||||
return $profileNotFoundTemplate;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$userStatuses = $this->userStatusManager->getUserStatuses([$targetUserId]);
|
||||
|
||||
Reference in New Issue
Block a user