diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2019-10-28 13:48:34 +0100 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-10-28 13:48:34 +0100 |
| commit | 0bd1378f819915529d17a53147c0a43ff10c09f1 (patch) | |
| tree | a6f35e9e29e811652a79e24aa5bbf53d55ce94b1 /core/Controller | |
| parent | 921f748996754e59e5b59cc08cc424ff66854730 (diff) | |
| download | nextcloud-server-0bd1378f819915529d17a53147c0a43ff10c09f1.tar.gz nextcloud-server-0bd1378f819915529d17a53147c0a43ff10c09f1.zip | |
Honor avatar visibility settings
Fixes #5456
Only when an avatar is set to public should we show it to the public.
For now this has an open question as to how to solve federated avatars.
But I assume a dedicated paramter or endpooint would make sense there.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'core/Controller')
| -rw-r--r-- | core/Controller/AvatarController.php | 30 |
1 files changed, 26 insertions, 4 deletions
diff --git a/core/Controller/AvatarController.php b/core/Controller/AvatarController.php index 9ee344f7ed8..45c0daece02 100644 --- a/core/Controller/AvatarController.php +++ b/core/Controller/AvatarController.php @@ -28,6 +28,7 @@ namespace OC\Core\Controller; use OC\AppFramework\Utility\TimeFactory; +use OCP\Accounts\IAccountManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataDisplayResponse; @@ -76,6 +77,8 @@ class AvatarController extends Controller { /** @var TimeFactory */ protected $timeFactory; + /** @var IAccountManager */ + private $accountManager; /** * @param string $appName @@ -98,7 +101,8 @@ class AvatarController extends Controller { IRootFolder $rootFolder, ILogger $logger, $userId, - TimeFactory $timeFactory) { + TimeFactory $timeFactory, + IAccountManager $accountManager) { parent::__construct($appName, $request); $this->avatarManager = $avatarManager; @@ -109,6 +113,7 @@ class AvatarController extends Controller { $this->logger = $logger; $this->userId = $userId; $this->timeFactory = $timeFactory; + $this->accountManager = $accountManager; } @@ -130,6 +135,19 @@ class AvatarController extends Controller { $size = 64; } + $user = $this->userManager->get($userId); + if ($user === null) { + return $this->return404(); + } + + $account = $this->accountManager->getAccount($user); + $scope = $account->getProperty(IAccountManager::PROPERTY_AVATAR)->getScope(); + + if ($scope !== IAccountManager::VISIBILITY_PUBLIC && $this->userId === null) { + // Public avatar access is not allowed + return $this->return404(); + } + try { $avatar = $this->avatarManager->getAvatar($userId); $avatarFile = $avatar->getFile($size); @@ -139,9 +157,7 @@ class AvatarController extends Controller { ['Content-Type' => $avatarFile->getMimeType()] ); } catch (\Exception $e) { - $resp = new Http\Response(); - $resp->setStatus(Http::STATUS_NOT_FOUND); - return $resp; + return $this->return404(); } // Cache for 30 minutes @@ -149,6 +165,12 @@ class AvatarController extends Controller { return $resp; } + private function return404(): Http\Response { + $resp = new Http\Response(); + $resp->setStatus(Http::STATUS_NOT_FOUND); + return $resp; + } + /** * @NoAdminRequired * |