Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2025-04-23 18:30:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

Tighten profile restriction feature

Browse source 
- Prevent feed access to restricted profiles
- Rework display of restricted profiles with a redirect to the profile/restricted route
- Normalize permission checking with IHandleUserSession->isAuthenticated
- Remove unusable "nocache" parameter in feed module because session isn't initialized
- Reword setting name and description
This commit is contained in:
Hypolite Petovan 2022-11-30 13:50:52 -05:00
parent 0d53c69610
commit b83526ad0b
16 changed files with 135 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/Module/Item/Display.php
View file

@ -196,8 +196,7 @@ class Display extends BaseModule
protected function getDisplayData(array $item, bool $update = false, int $updateUid = 0, bool $force = false): string
{
$isRemoteContact = false;
$itemUid = $this->session->getLocalUserId();
$itemUid = $this->session->getLocalUserId();
$parent = null;
if (!$this->session->getLocalUserId() && !empty($item['parent-uri-id'])) {
@ -206,8 +205,7 @@ class Display extends BaseModule
if (!empty($parent)) {
$pageUid = $parent['uid'];
$isRemoteContact = $this->session->getRemoteContactID($pageUid);
if ($isRemoteContact) {
if ($this->session->getRemoteContactID($pageUid)) {
$itemUid = $parent['uid'];
}
} else {
@ -215,13 +213,11 @@ class Display extends BaseModule
}
if (!empty($pageUid) && ($pageUid != $this->session->getLocalUserId())) {
$page_user = User::getById($pageUid, ['hidewall']);
$page_user = User::getById($pageUid, ['nickname', 'hidewall']);
}
$is_owner = $this->session->getLocalUserId() && (in_array($pageUid, [$this->session->getLocalUserId(), 0]));
if (!empty($page_user['hidewall']) && !$is_owner && !$isRemoteContact) {
throw new HTTPException\ForbiddenException($this->t('Access to this profile has been restricted.'));
if (!empty($page_user['hidewall']) && !$this->session->isAuthenticated()) {
$this->baseUrl->redirect('profile/' . $page_user['nickname'] . '/restricted');
}
$sql_extra = Item::getPermissionsSQLByUserId($pageUid);
@ -275,6 +271,8 @@ class Display extends BaseModule
$output = '';
$is_owner = $this->session->getLocalUserId() && (in_array($pageUid, [$this->session->getLocalUserId(), 0]));
// We need the editor here to be able to reshare an item.
if ($is_owner && !$update) {
$output .= $this->conversation->statusEditor([], 0, true);