From f4307ef4b16ffa1ea5a9e4697b57be36660a7953 Mon Sep 17 00:00:00 2001 From: Christopher Ng Date: Fri, 5 Nov 2021 01:42:44 +0000 Subject: Respect user enumeration settings on profile Signed-off-by: Christopher Ng --- core/Controller/ProfilePageController.php | 71 +++++++++++++++++++++++++------ 1 file changed, 58 insertions(+), 13 deletions(-) (limited to 'core/Controller') diff --git a/core/Controller/ProfilePageController.php b/core/Controller/ProfilePageController.php index a7ceb404fbc..2a23b673be1 100644 --- a/core/Controller/ProfilePageController.php +++ b/core/Controller/ProfilePageController.php @@ -26,14 +26,17 @@ declare(strict_types=1); namespace OC\Core\Controller; +use OC\KnownUser\KnownUserService; +use OC\Profile\ProfileManager; use OCP\Accounts\IAccountManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Services\IInitialState; +use OCP\IGroupManager; use OCP\IRequest; use OCP\IUserManager; use OCP\IUserSession; -use OC\Profile\ProfileManager; +use OCP\Share\IManager as IShareManager; use OCP\UserStatus\IManager as IUserStatusManager; class ProfilePageController extends Controller { @@ -48,6 +51,15 @@ class ProfilePageController extends Controller { /** @var ProfileManager */ private $profileManager; + /** @var IShareManager */ + private $shareManager; + + /** @var IGroupManager */ + private $groupManager; + + /** @var KnownUserService */ + private $knownUserService; + /** @var IUserManager */ private $userManager; @@ -63,6 +75,9 @@ class ProfilePageController extends Controller { IInitialState $initialStateService, IAccountManager $accountManager, ProfileManager $profileManager, + IShareManager $shareManager, + IGroupManager $groupManager, + KnownUserService $knownUserService, IUserManager $userManager, IUserSession $userSession, IUserStatusManager $userStatusManager @@ -71,6 +86,9 @@ class ProfilePageController extends Controller { $this->initialStateService = $initialStateService; $this->accountManager = $accountManager; $this->profileManager = $profileManager; + $this->shareManager = $shareManager; + $this->groupManager = $groupManager; + $this->knownUserService = $knownUserService; $this->userManager = $userManager; $this->userSession = $userSession; $this->userStatusManager = $userStatusManager; @@ -83,13 +101,15 @@ class ProfilePageController extends Controller { * @NoSubAdminRequired */ public function index(string $targetUserId): TemplateResponse { + $profileNotFoundTemplate = new TemplateResponse( + 'core', + '404-profile', + [], + TemplateResponse::RENDER_AS_GUEST, + ); + if (!$this->userManager->userExists($targetUserId)) { - return new TemplateResponse( - 'core', - '404-profile', - [], - TemplateResponse::RENDER_AS_GUEST, - ); + return $profileNotFoundTemplate; } $visitingUser = $this->userSession->getUser(); @@ -97,12 +117,37 @@ class ProfilePageController extends Controller { $targetAccount = $this->accountManager->getAccount($targetUser); if (!$this->isProfileEnabled($targetAccount)) { - return new TemplateResponse( - 'core', - '404-profile', - [], - TemplateResponse::RENDER_AS_GUEST, - ); + return $profileNotFoundTemplate; + } + + // Run user enumeration checks only if viewing another user's profile + if ($targetUser !== $visitingUser) { + if ($this->shareManager->allowEnumerationFullMatch()) { + // Full id match is allowed + } elseif (!$this->shareManager->allowEnumeration()) { + return $profileNotFoundTemplate; + } else { + if ($this->shareManager->limitEnumerationToGroups() || $this->shareManager->limitEnumerationToPhone()) { + $targerUserGroupIds = $this->groupManager->getUserGroupIds($targetUser); + $visitingUserGroupIds = $this->groupManager->getUserGroupIds($visitingUser); + if ($this->shareManager->limitEnumerationToGroups() && $this->shareManager->limitEnumerationToPhone()) { + if ( + empty(array_intersect($targerUserGroupIds, $visitingUserGroupIds)) + && !$this->knownUserService->isKnownToUser($targetUser->getUID(), $visitingUser->getUID()) + ) { + return $profileNotFoundTemplate; + } + } elseif ($this->shareManager->limitEnumerationToGroups()) { + if (empty(array_intersect($targerUserGroupIds, $visitingUserGroupIds))) { + return $profileNotFoundTemplate; + } + } elseif ($this->shareManager->limitEnumerationToPhone()) { + if (!$this->knownUserService->isKnownToUser($targetUser->getUID(), $visitingUser->getUID())) { + return $profileNotFoundTemplate; + } + } + } + } } $userStatuses = $this->userStatusManager->getUserStatuses([$targetUserId]); -- cgit v1.2.3