Privacy: Fix a lot of issues with user's privacy

And fixes #36
This commit is contained in:
veselcraft 2021-12-14 16:00:12 +03:00
parent 7dc3e8965d
commit c16262617d
No known key found for this signature in database
GPG key ID: AED66BC1AC628A4E
5 changed files with 24 additions and 2 deletions

View file

@ -19,6 +19,8 @@ final class NotesPresenter extends OpenVKPresenter
{ {
$user = (new Users)->get($owner); $user = (new Users)->get($owner);
if(!$user) $this->notFound(); if(!$user) $this->notFound();
if(!$user->getPrivacyPermission('notes.read', $this->user->identity ?? NULL))
$this->flashFail("err", tr("forbidden"), tr("forbidden_comment"));
$this->template->notes = $this->notes->getUserNotes($user, (int)($this->queryParam("p") ?? 1)); $this->template->notes = $this->notes->getUserNotes($user, (int)($this->queryParam("p") ?? 1));
$this->template->count = $this->notes->getUserNotesCount($user); $this->template->count = $this->notes->getUserNotesCount($user);
@ -36,6 +38,8 @@ final class NotesPresenter extends OpenVKPresenter
$note = $this->notes->getNoteById($owner, $note_id); $note = $this->notes->getNoteById($owner, $note_id);
if(!$note || $note->getOwner()->getId() !== $owner || $note->isDeleted()) if(!$note || $note->getOwner()->getId() !== $owner || $note->isDeleted())
$this->notFound(); $this->notFound();
if(!$note->getOwner()->getPrivacyPermission('notes.read', $this->user->identity ?? NULL))
$this->flashFail("err", tr("forbidden"), tr("forbidden_comment"));
$this->template->cCount = $note->getCommentsCount(); $this->template->cCount = $note->getCommentsCount();
$this->template->cPage = (int) ($this->queryParam("p") ?? 1); $this->template->cPage = (int) ($this->queryParam("p") ?? 1);

View file

@ -29,6 +29,8 @@ final class PhotosPresenter extends OpenVKPresenter
if($owner > 0) { if($owner > 0) {
$user = $this->users->get($owner); $user = $this->users->get($owner);
if(!$user) $this->notFound(); if(!$user) $this->notFound();
if (!$user->getPrivacyPermission('photos.read', $this->user->identity ?? NULL))
$this->flashFail("err", tr("forbidden"), tr("forbidden_comment"));
$this->template->albums = $this->albums->getUserAlbums($user, $this->queryParam("p") ?? 1); $this->template->albums = $this->albums->getUserAlbums($user, $this->queryParam("p") ?? 1);
$this->template->count = $this->albums->getUserAlbumsCount($user); $this->template->count = $this->albums->getUserAlbumsCount($user);
$this->template->owner = $user; $this->template->owner = $user;
@ -129,6 +131,10 @@ final class PhotosPresenter extends OpenVKPresenter
if($album->getPrettyId() !== $owner . "_" . $id || $album->isDeleted()) if($album->getPrettyId() !== $owner . "_" . $id || $album->isDeleted())
$this->notFound(); $this->notFound();
if($owner > 0 /* bc we currently don't have perms for clubs */) $ownerObject = (new Users)->get($owner);
if(!$ownerObject->getPrivacyPermission('photos.read', $this->user->identity ?? NULL))
$this->flashFail("err", tr("forbidden"), tr("forbidden_comment"));
$this->template->album = $album; $this->template->album = $album;
$this->template->photos = iterator_to_array( $album->getPhotos( (int) ($this->queryParam("p") ?? 1) ) ); $this->template->photos = iterator_to_array( $album->getPhotos( (int) ($this->queryParam("p") ?? 1) ) );
$this->template->paginatorConf = (object) [ $this->template->paginatorConf = (object) [

View file

@ -54,6 +54,8 @@ final class UserPresenter extends OpenVKPresenter
$page = abs($this->queryParam("p") ?? 1); $page = abs($this->queryParam("p") ?? 1);
if(!$user) if(!$user)
$this->notFound(); $this->notFound();
elseif (!$user->getPrivacyPermission('friends.read', $this->user->identity ?? NULL))
$this->flashFail("err", tr("forbidden"), tr("forbidden_comment"));
else else
$this->template->user = $user; $this->template->user = $user;
@ -78,9 +80,11 @@ final class UserPresenter extends OpenVKPresenter
$this->assertUserLoggedIn(); $this->assertUserLoggedIn();
$user = $this->users->get($id); $user = $this->users->get($id);
if(!$user) { if(!$user)
$this->notFound(); $this->notFound();
} else { elseif (!$user->getPrivacyPermission('groups.read', $this->user->identity ?? NULL))
$this->flashFail("err", tr("forbidden"), tr("forbidden_comment"));
else {
$this->template->user = $user; $this->template->user = $user;
$this->template->page = $this->queryParam("p") ?? 1; $this->template->page = $this->queryParam("p") ?? 1;
$this->template->admin = $this->queryParam("act") == "managed"; $this->template->admin = $this->queryParam("act") == "managed";

View file

@ -22,6 +22,8 @@ final class VideosPresenter extends OpenVKPresenter
{ {
$user = $this->users->get($id); $user = $this->users->get($id);
if(!$user) $this->notFound(); if(!$user) $this->notFound();
if(!$user->getPrivacyPermission('videos.read', $this->user->identity ?? NULL))
$this->flashFail("err", tr("forbidden"), tr("forbidden_comment"));
$this->template->user = $user; $this->template->user = $user;
$this->template->videos = $this->videos->getByUser($user, (int) ($this->queryParam("p") ?? 1)); $this->template->videos = $this->videos->getByUser($user, (int) ($this->queryParam("p") ?? 1));
@ -38,6 +40,8 @@ final class VideosPresenter extends OpenVKPresenter
{ {
$user = $this->users->get($owner); $user = $this->users->get($owner);
if(!$user) $this->notFound(); if(!$user) $this->notFound();
if(!$user->getPrivacyPermission('videos.read', $this->user->identity ?? NULL))
$this->flashFail("err", tr("forbidden"), tr("forbidden_comment"));
if($this->videos->getByOwnerAndVID($owner, $vId)->isDeleted()) $this->notFound(); if($this->videos->getByOwnerAndVID($owner, $vId)->isDeleted()) $this->notFound();

View file

@ -3,6 +3,7 @@
{block title}{$user->getCanonicalName()}{/block} {block title}{$user->getCanonicalName()}{/block}
{block headIncludes} {block headIncludes}
{if $user->getPrivacyPermission('page.read', $thisUser ?? NULL)}
<!-- openGraph --> <!-- openGraph -->
<meta property="og:title" content="{$user->getCanonicalName()}" /> <meta property="og:title" content="{$user->getCanonicalName()}" />
<meta property="og:url" content="http://{$_SERVER['HTTP_HOST']}{$user->getURL()}" /> <meta property="og:url" content="http://{$_SERVER['HTTP_HOST']}{$user->getURL()}" />
@ -22,6 +23,9 @@
"url": {('http://') . $_SERVER['HTTP_HOST'] . $user->getURL()} "url": {('http://') . $_SERVER['HTTP_HOST'] . $user->getURL()}
} }
</script> </script>
{else}
<meta name="robots" content="noindex, noarchive">
{/if}
{/block} {/block}
{block header} {block header}