diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2019-12-04 10:28:45 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-12-04 10:28:45 +0100 |
| commit | 738e6bf07926f05791b4eb80d7e63d72f299cd5a (patch) | |
| tree | e23cd7b7f5c060ebdccdb88931a33b4ecb476e11 /core/Controller | |
| parent | 7f80859ce46c25484b9a2a207f2ae26b123f3f5d (diff) | |
| parent | 54eb27dab2e3b5fe7a91b0fc388ae52de311d660 (diff) | |
| download | nextcloud-server-738e6bf07926f05791b4eb80d7e63d72f299cd5a.tar.gz nextcloud-server-738e6bf07926f05791b4eb80d7e63d72f299cd5a.zip | |
Merge pull request #17715 from nextcloud/fix/5456/respect_avatar_privacy
Honor avatar visibility settings
Diffstat (limited to 'core/Controller')
| -rw-r--r-- | core/Controller/AvatarController.php | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/core/Controller/AvatarController.php b/core/Controller/AvatarController.php index cef68ec8348..31e9b84d715 100644 --- a/core/Controller/AvatarController.php +++ b/core/Controller/AvatarController.php @@ -29,6 +29,7 @@ namespace OC\Core\Controller; use OC\AppFramework\Utility\TimeFactory; +use OCP\Accounts\IAccountManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataDisplayResponse; @@ -77,19 +78,9 @@ class AvatarController extends Controller { /** @var TimeFactory */ protected $timeFactory; + /** @var IAccountManager */ + private $accountManager; - /** - * @param string $appName - * @param IRequest $request - * @param IAvatarManager $avatarManager - * @param ICache $cache - * @param IL10N $l10n - * @param IUserManager $userManager - * @param IRootFolder $rootFolder - * @param ILogger $logger - * @param string $userId - * @param TimeFactory $timeFactory - */ public function __construct($appName, IRequest $request, IAvatarManager $avatarManager, @@ -99,7 +90,8 @@ class AvatarController extends Controller { IRootFolder $rootFolder, ILogger $logger, $userId, - TimeFactory $timeFactory) { + TimeFactory $timeFactory, + IAccountManager $accountManager) { parent::__construct($appName, $request); $this->avatarManager = $avatarManager; @@ -110,6 +102,7 @@ class AvatarController extends Controller { $this->logger = $logger; $this->userId = $userId; $this->timeFactory = $timeFactory; + $this->accountManager = $accountManager; } @@ -131,6 +124,19 @@ class AvatarController extends Controller { $size = 64; } + $user = $this->userManager->get($userId); + if ($user === null) { + return new JSONResponse([], Http::STATUS_NOT_FOUND); + } + + $account = $this->accountManager->getAccount($user); + $scope = $account->getProperty(IAccountManager::PROPERTY_AVATAR)->getScope(); + + if ($scope !== IAccountManager::VISIBILITY_PUBLIC && $this->userId === null) { + // Public avatar access is not allowed + return new JSONResponse([], Http::STATUS_NOT_FOUND); + } + try { $avatar = $this->avatarManager->getAvatar($userId); $avatarFile = $avatar->getFile($size); @@ -140,9 +146,7 @@ class AvatarController extends Controller { ['Content-Type' => $avatarFile->getMimeType()] ); } catch (\Exception $e) { - $resp = new Http\Response(); - $resp->setStatus(Http::STATUS_NOT_FOUND); - return $resp; + return new JSONResponse([], Http::STATUS_NOT_FOUND); } // Cache for 30 minutes |