From c16262617d1029cb2acc7b3ead07d377dbd2cfe7 Mon Sep 17 00:00:00 2001 From: veselcraft Date: Tue, 14 Dec 2021 16:00:12 +0300 Subject: [PATCH] Privacy: Fix a lot of issues with user's privacy And fixes #36 --- Web/Presenters/NotesPresenter.php | 4 ++++ Web/Presenters/PhotosPresenter.php | 6 ++++++ Web/Presenters/UserPresenter.php | 8 ++++++-- Web/Presenters/VideosPresenter.php | 4 ++++ Web/Presenters/templates/User/View.xml | 4 ++++ 5 files changed, 24 insertions(+), 2 deletions(-) diff --git a/Web/Presenters/NotesPresenter.php b/Web/Presenters/NotesPresenter.php index 0764faf6..443a484a 100644 --- a/Web/Presenters/NotesPresenter.php +++ b/Web/Presenters/NotesPresenter.php @@ -19,6 +19,8 @@ final class NotesPresenter extends OpenVKPresenter { $user = (new Users)->get($owner); if(!$user) $this->notFound(); + if(!$user->getPrivacyPermission('notes.read', $this->user->identity ?? NULL)) + $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); $this->template->notes = $this->notes->getUserNotes($user, (int)($this->queryParam("p") ?? 1)); $this->template->count = $this->notes->getUserNotesCount($user); @@ -36,6 +38,8 @@ final class NotesPresenter extends OpenVKPresenter $note = $this->notes->getNoteById($owner, $note_id); if(!$note || $note->getOwner()->getId() !== $owner || $note->isDeleted()) $this->notFound(); + if(!$note->getOwner()->getPrivacyPermission('notes.read', $this->user->identity ?? NULL)) + $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); $this->template->cCount = $note->getCommentsCount(); $this->template->cPage = (int) ($this->queryParam("p") ?? 1); diff --git a/Web/Presenters/PhotosPresenter.php b/Web/Presenters/PhotosPresenter.php index 24fd7829..78c17c1e 100644 --- a/Web/Presenters/PhotosPresenter.php +++ b/Web/Presenters/PhotosPresenter.php @@ -29,6 +29,8 @@ final class PhotosPresenter extends OpenVKPresenter if($owner > 0) { $user = $this->users->get($owner); if(!$user) $this->notFound(); + if (!$user->getPrivacyPermission('photos.read', $this->user->identity ?? NULL)) + $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); $this->template->albums = $this->albums->getUserAlbums($user, $this->queryParam("p") ?? 1); $this->template->count = $this->albums->getUserAlbumsCount($user); $this->template->owner = $user; @@ -129,6 +131,10 @@ final class PhotosPresenter extends OpenVKPresenter if($album->getPrettyId() !== $owner . "_" . $id || $album->isDeleted()) $this->notFound(); + if($owner > 0 /* bc we currently don't have perms for clubs */) $ownerObject = (new Users)->get($owner); + if(!$ownerObject->getPrivacyPermission('photos.read', $this->user->identity ?? NULL)) + $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); + $this->template->album = $album; $this->template->photos = iterator_to_array( $album->getPhotos( (int) ($this->queryParam("p") ?? 1) ) ); $this->template->paginatorConf = (object) [ diff --git a/Web/Presenters/UserPresenter.php b/Web/Presenters/UserPresenter.php index 4f51175c..551976fc 100644 --- a/Web/Presenters/UserPresenter.php +++ b/Web/Presenters/UserPresenter.php @@ -54,6 +54,8 @@ final class UserPresenter extends OpenVKPresenter $page = abs($this->queryParam("p") ?? 1); if(!$user) $this->notFound(); + elseif (!$user->getPrivacyPermission('friends.read', $this->user->identity ?? NULL)) + $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); else $this->template->user = $user; @@ -78,9 +80,11 @@ final class UserPresenter extends OpenVKPresenter $this->assertUserLoggedIn(); $user = $this->users->get($id); - if(!$user) { + if(!$user) $this->notFound(); - } else { + elseif (!$user->getPrivacyPermission('groups.read', $this->user->identity ?? NULL)) + $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); + else { $this->template->user = $user; $this->template->page = $this->queryParam("p") ?? 1; $this->template->admin = $this->queryParam("act") == "managed"; diff --git a/Web/Presenters/VideosPresenter.php b/Web/Presenters/VideosPresenter.php index 47d529ac..0e20a91b 100644 --- a/Web/Presenters/VideosPresenter.php +++ b/Web/Presenters/VideosPresenter.php @@ -22,6 +22,8 @@ final class VideosPresenter extends OpenVKPresenter { $user = $this->users->get($id); if(!$user) $this->notFound(); + if(!$user->getPrivacyPermission('videos.read', $this->user->identity ?? NULL)) + $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); $this->template->user = $user; $this->template->videos = $this->videos->getByUser($user, (int) ($this->queryParam("p") ?? 1)); @@ -38,6 +40,8 @@ final class VideosPresenter extends OpenVKPresenter { $user = $this->users->get($owner); if(!$user) $this->notFound(); + if(!$user->getPrivacyPermission('videos.read', $this->user->identity ?? NULL)) + $this->flashFail("err", tr("forbidden"), tr("forbidden_comment")); if($this->videos->getByOwnerAndVID($owner, $vId)->isDeleted()) $this->notFound(); diff --git a/Web/Presenters/templates/User/View.xml b/Web/Presenters/templates/User/View.xml index 58cdaa1d..9c724ec4 100644 --- a/Web/Presenters/templates/User/View.xml +++ b/Web/Presenters/templates/User/View.xml @@ -3,6 +3,7 @@ {block title}{$user->getCanonicalName()}{/block} {block headIncludes} + {if $user->getPrivacyPermission('page.read', $thisUser ?? NULL)} @@ -22,6 +23,9 @@ "url": {('http://') . $_SERVER['HTTP_HOST'] . $user->getURL()} } + {else} + + {/if} {/block} {block header}