Add new v2-private account scope

Added new v2-private account manager scope that restricts the scope
further by excluding public link access.

Avatars with v2-private account scope are now showing the guest avatar
instead of the real avatar.

Signed-off-by: Vincent Petry <vincent@nextcloud.com>

3 files changed, 84 insertions, 5 deletions

diff --git a/lib/private/Avatar/AvatarManager.php b/lib/private/Avatar/AvatarManager.php
index 5102396224d..03f3d89e5f6 100644
--- a/lib/private/Avatar/AvatarManager.php
+++ b/lib/private/Avatar/AvatarManager.php
@@ -36,6 +36,7 @@ namespace OC\Avatar;
 
 use OC\User\Manager;
 use OC\User\NoUserException;
+use OCP\Accounts\IAccountManager;
 use OCP\Files\IAppData;
 use OCP\Files\NotFoundException;
 use OCP\Files\NotPermittedException;
@@ -44,12 +45,16 @@ use OCP\IAvatarManager;
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\ILogger;
+use OCP\IUserSession;
 
 /**
  * This class implements methods to access Avatar functionality
  */
 class AvatarManager implements IAvatarManager {
 
+	/** @var IUserSession */
+	private $userSession;
+
 	/** @var Manager */
 	private $userManager;
 
@@ -65,6 +70,9 @@ class AvatarManager implements IAvatarManager {
 	/** @var IConfig */
 	private $config;
 
+	/** @var IAccountManager */
+	private $accountManager;
+
 	/**
 	 * AvatarManager constructor.
 	 *
@@ -73,18 +81,23 @@ class AvatarManager implements IAvatarManager {
 	 * @param IL10N $l
 	 * @param ILogger $logger
 	 * @param IConfig $config
+	 * @param IUserSession $userSession
 	 */
 	public function __construct(
+			IUserSession $userSession,
 			Manager $userManager,
 			IAppData $appData,
 			IL10N $l,
 			ILogger $logger,
-			IConfig $config) {
+			IConfig $config,
+			IAccountManager $accountManager) {
+		$this->userSession = $userSession;
 		$this->userManager = $userManager;
 		$this->appData = $appData;
 		$this->l = $l;
 		$this->logger = $logger;
 		$this->config = $config;
+		$this->accountManager = $accountManager;
 	}
 
 	/**
@@ -104,6 +117,27 @@ class AvatarManager implements IAvatarManager {
 		// sanitize userID - fixes casing issue (needed for the filesystem stuff that is done below)
 		$userId = $user->getUID();
 
+		$requestingUser = null;
+		if ($this->userSession !== null) {
+			$requestingUser = $this->userSession->getUser();
+		}
+
+		$canShowRealAvatar = true;
+
+		// requesting in public page
+		if ($requestingUser === null) {
+			$account = $this->accountManager->getAccount($user);
+			$avatarProperties = $account->getProperty(IAccountManager::PROPERTY_AVATAR);
+			$avatarScope = $avatarProperties->getScope();
+
+			// v2-private scope hides the avatar from public access
+			if ($avatarScope === IAccountManager::SCOPE_PRIVATE) {
+				// FIXME: guest avatar is re-generated every time, use a cache instead
+				// see how UserAvatar caches the generated one
+				return $this->getGuestAvatar($userId);
+			}
+		}
+
 		try {
 			$folder = $this->appData->getFolder($userId);
 		} catch (NotFoundException $e) {
diff --git a/lib/private/Server.php b/lib/private/Server.php
index c0d6afbaaf6..93ad3b38997 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -720,11 +720,13 @@ class Server extends ServerContainer implements IServerContainer {
 
 		$this->registerService(AvatarManager::class, function (Server $c) {
 			return new AvatarManager(
+				$c->get(IUserSession::class),
 				$c->get(\OC\User\Manager::class),
 				$c->getAppDataDir('avatar'),
 				$c->getL10N('lib'),
 				$c->get(ILogger::class),
-				$c->get(\OCP\IConfig::class)
+				$c->get(\OCP\IConfig::class),
+				$c->get(IAccountManager::class)
 			);
 		});
 		$this->registerAlias(IAvatarManager::class, AvatarManager::class);
diff --git a/lib/public/Accounts/IAccountManager.php b/lib/public/Accounts/IAccountManager.php
index ae70d8963b4..9d720ba9e50 100644
--- a/lib/public/Accounts/IAccountManager.php
+++ b/lib/public/Accounts/IAccountManager.php
@@ -38,11 +38,54 @@ use OCP\IUser;
  */
 interface IAccountManager {
 
-	/** nobody can see my account details */
+	/**
+	 * Contact details visible locally only
+	 *
+	 * @since 21.0.1
+	 */
+	public const SCOPE_PRIVATE = 'v2-private';
+
+	/**
+	 * Contact details visible locally and through public link access on local instance
+	 *
+	 * @since 21.0.1
+	 */
+	public const SCOPE_LOCAL = 'private';
+
+	/**
+	 * Contact details visible locally, through public link access and on trusted federated servers.
+	 *
+	 * @since 21.0.1
+	 */
+	public const SCOPE_FEDERATED = 'federated';
+
+	/**
+	 * Contact details visible locally, through public link access, on trusted federated servers
+	 * and published to the public lookup server.
+	 *
+	 * @since 21.0.1
+	 */
+	public const SCOPE_PUBLISHED = 'public';
+
+	/**
+	 * Contact details only visible locally
+	 *
+	 * @deprecated 21.0.1
+	 */
 	public const VISIBILITY_PRIVATE = 'private';
-	/** only contacts, especially trusted servers can see my contact details */
+
+	/**
+	 * Contact details visible on trusted federated servers.
+	 *
+	 * @deprecated 21.0.1
+	 */
 	public const VISIBILITY_CONTACTS_ONLY = 'contacts';
-	/** every body ca see my contact detail, will be published to the lookup server */
+
+	/**
+	 * Contact details visible on trusted federated servers and in the public lookup server.
+	 *
+	 * @deprecated 21.0.1
+	 */
 	public const VISIBILITY_PUBLIC = 'public';
 
 	public const PROPERTY_AVATAR = 'avatar';