summaryrefslogtreecommitdiffstats
path: root/core/Controller
diff options
context:
space:
mode:
authorChristopher Ng <chrng8@gmail.com>2021-11-05 01:42:44 +0000
committerChristopher Ng <chrng8@gmail.com>2021-11-05 21:33:03 +0000
commitf4307ef4b16ffa1ea5a9e4697b57be36660a7953 (patch)
tree17f5705b45e290d5370f08a5fe40ad810766bb2d /core/Controller
parent6d5f10eb577a80013c9db9996b156838e4b71908 (diff)
downloadnextcloud-server-f4307ef4b16ffa1ea5a9e4697b57be36660a7953.tar.gz
nextcloud-server-f4307ef4b16ffa1ea5a9e4697b57be36660a7953.zip
Respect user enumeration settings on profile
Signed-off-by: Christopher Ng <chrng8@gmail.com>
Diffstat (limited to 'core/Controller')
-rw-r--r--core/Controller/ProfilePageController.php71
1 files changed, 58 insertions, 13 deletions
diff --git a/core/Controller/ProfilePageController.php b/core/Controller/ProfilePageController.php
index a7ceb404fbc..2a23b673be1 100644
--- a/core/Controller/ProfilePageController.php
+++ b/core/Controller/ProfilePageController.php
@@ -26,14 +26,17 @@ declare(strict_types=1);
namespace OC\Core\Controller;
+use OC\KnownUser\KnownUserService;
+use OC\Profile\ProfileManager;
use OCP\Accounts\IAccountManager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Services\IInitialState;
+use OCP\IGroupManager;
use OCP\IRequest;
use OCP\IUserManager;
use OCP\IUserSession;
-use OC\Profile\ProfileManager;
+use OCP\Share\IManager as IShareManager;
use OCP\UserStatus\IManager as IUserStatusManager;
class ProfilePageController extends Controller {
@@ -48,6 +51,15 @@ class ProfilePageController extends Controller {
/** @var ProfileManager */
private $profileManager;
+ /** @var IShareManager */
+ private $shareManager;
+
+ /** @var IGroupManager */
+ private $groupManager;
+
+ /** @var KnownUserService */
+ private $knownUserService;
+
/** @var IUserManager */
private $userManager;
@@ -63,6 +75,9 @@ class ProfilePageController extends Controller {
IInitialState $initialStateService,
IAccountManager $accountManager,
ProfileManager $profileManager,
+ IShareManager $shareManager,
+ IGroupManager $groupManager,
+ KnownUserService $knownUserService,
IUserManager $userManager,
IUserSession $userSession,
IUserStatusManager $userStatusManager
@@ -71,6 +86,9 @@ class ProfilePageController extends Controller {
$this->initialStateService = $initialStateService;
$this->accountManager = $accountManager;
$this->profileManager = $profileManager;
+ $this->shareManager = $shareManager;
+ $this->groupManager = $groupManager;
+ $this->knownUserService = $knownUserService;
$this->userManager = $userManager;
$this->userSession = $userSession;
$this->userStatusManager = $userStatusManager;
@@ -83,13 +101,15 @@ class ProfilePageController extends Controller {
* @NoSubAdminRequired
*/
public function index(string $targetUserId): TemplateResponse {
+ $profileNotFoundTemplate = new TemplateResponse(
+ 'core',
+ '404-profile',
+ [],
+ TemplateResponse::RENDER_AS_GUEST,
+ );
+
if (!$this->userManager->userExists($targetUserId)) {
- return new TemplateResponse(
- 'core',
- '404-profile',
- [],
- TemplateResponse::RENDER_AS_GUEST,
- );
+ return $profileNotFoundTemplate;
}
$visitingUser = $this->userSession->getUser();
@@ -97,12 +117,37 @@ class ProfilePageController extends Controller {
$targetAccount = $this->accountManager->getAccount($targetUser);
if (!$this->isProfileEnabled($targetAccount)) {
- return new TemplateResponse(
- 'core',
- '404-profile',
- [],
- TemplateResponse::RENDER_AS_GUEST,
- );
+ return $profileNotFoundTemplate;
+ }
+
+ // Run user enumeration checks only if viewing another user's profile
+ if ($targetUser !== $visitingUser) {
+ if ($this->shareManager->allowEnumerationFullMatch()) {
+ // Full id match is allowed
+ } elseif (!$this->shareManager->allowEnumeration()) {
+ return $profileNotFoundTemplate;
+ } else {
+ if ($this->shareManager->limitEnumerationToGroups() || $this->shareManager->limitEnumerationToPhone()) {
+ $targerUserGroupIds = $this->groupManager->getUserGroupIds($targetUser);
+ $visitingUserGroupIds = $this->groupManager->getUserGroupIds($visitingUser);
+ if ($this->shareManager->limitEnumerationToGroups() && $this->shareManager->limitEnumerationToPhone()) {
+ if (
+ empty(array_intersect($targerUserGroupIds, $visitingUserGroupIds))
+ && !$this->knownUserService->isKnownToUser($targetUser->getUID(), $visitingUser->getUID())
+ ) {
+ return $profileNotFoundTemplate;
+ }
+ } elseif ($this->shareManager->limitEnumerationToGroups()) {
+ if (empty(array_intersect($targerUserGroupIds, $visitingUserGroupIds))) {
+ return $profileNotFoundTemplate;
+ }
+ } elseif ($this->shareManager->limitEnumerationToPhone()) {
+ if (!$this->knownUserService->isKnownToUser($targetUser->getUID(), $visitingUser->getUID())) {
+ return $profileNotFoundTemplate;
+ }
+ }
+ }
+ }
}
$userStatuses = $this->userStatusManager->getUserStatuses([$targetUserId]);