mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Honor avatar visibility settings 

Fixes #5456
Only when an avatar is set to public should we show it to the public.
For now this has an open question as to how to solve federated avatars.
But I assume a dedicated paramter or endpooint would make sense there.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2019-10-28 13:48:34 +01:00
parent 921f748996
commit 0bd1378f81
No known key found for this signature in database
GPG Key ID: F941078878347C0C
1 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
core/Controller/AvatarController.php
View File

@ -28,6 +28,7 @@
namespace OC\Core\Controller;
use OC\AppFramework\Utility\TimeFactory;
use OCP\Accounts\IAccountManager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\DataDisplayResponse;
@ -76,6 +77,8 @@ class AvatarController extends Controller {
/** @var TimeFactory */
protected $timeFactory;
/** @var IAccountManager */
private $accountManager;
/**
* @param string $appName
@ -98,7 +101,8 @@ class AvatarController extends Controller {
IRootFolder $rootFolder,
ILogger $logger,
$userId,
TimeFactory $timeFactory) {
TimeFactory $timeFactory,
IAccountManager $accountManager) {
parent::__construct($appName, $request);
$this->avatarManager = $avatarManager;
@ -109,6 +113,7 @@ class AvatarController extends Controller {
$this->logger = $logger;
$this->userId = $userId;
$this->timeFactory = $timeFactory;
$this->accountManager = $accountManager;
}
@ -130,6 +135,19 @@ class AvatarController extends Controller {
$size = 64;
}
$user = $this->userManager->get($userId);
if ($user === null) {
return $this->return404();
}
$account = $this->accountManager->getAccount($user);
$scope = $account->getProperty(IAccountManager::PROPERTY_AVATAR)->getScope();
if ($scope !== IAccountManager::VISIBILITY_PUBLIC && $this->userId === null) {
// Public avatar access is not allowed
return $this->return404();
}
try {
$avatar = $this->avatarManager->getAvatar($userId);
$avatarFile = $avatar->getFile($size);
@ -139,9 +157,7 @@ class AvatarController extends Controller {
['Content-Type' => $avatarFile->getMimeType()]
);
} catch (\Exception $e) {
$resp = new Http\Response();
$resp->setStatus(Http::STATUS_NOT_FOUND);
return $resp;
return $this->return404();
}
// Cache for 30 minutes
@ -149,6 +165,12 @@ class AvatarController extends Controller {
return $resp;
}
private function return404(): Http\Response {
$resp = new Http\Response();
$resp->setStatus(Http::STATUS_NOT_FOUND);
return $resp;
}
/**
* @NoAdminRequired
*