diff --git a/core/Controller/AvatarController.php b/core/Controller/AvatarController.php index 9ee344f7ed..45c0daece0 100644 --- a/core/Controller/AvatarController.php +++ b/core/Controller/AvatarController.php @@ -28,6 +28,7 @@ namespace OC\Core\Controller; use OC\AppFramework\Utility\TimeFactory; +use OCP\Accounts\IAccountManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataDisplayResponse; @@ -76,6 +77,8 @@ class AvatarController extends Controller { /** @var TimeFactory */ protected $timeFactory; + /** @var IAccountManager */ + private $accountManager; /** * @param string $appName @@ -98,7 +101,8 @@ class AvatarController extends Controller { IRootFolder $rootFolder, ILogger $logger, $userId, - TimeFactory $timeFactory) { + TimeFactory $timeFactory, + IAccountManager $accountManager) { parent::__construct($appName, $request); $this->avatarManager = $avatarManager; @@ -109,6 +113,7 @@ class AvatarController extends Controller { $this->logger = $logger; $this->userId = $userId; $this->timeFactory = $timeFactory; + $this->accountManager = $accountManager; } @@ -130,6 +135,19 @@ class AvatarController extends Controller { $size = 64; } + $user = $this->userManager->get($userId); + if ($user === null) { + return $this->return404(); + } + + $account = $this->accountManager->getAccount($user); + $scope = $account->getProperty(IAccountManager::PROPERTY_AVATAR)->getScope(); + + if ($scope !== IAccountManager::VISIBILITY_PUBLIC && $this->userId === null) { + // Public avatar access is not allowed + return $this->return404(); + } + try { $avatar = $this->avatarManager->getAvatar($userId); $avatarFile = $avatar->getFile($size); @@ -139,9 +157,7 @@ class AvatarController extends Controller { ['Content-Type' => $avatarFile->getMimeType()] ); } catch (\Exception $e) { - $resp = new Http\Response(); - $resp->setStatus(Http::STATUS_NOT_FOUND); - return $resp; + return $this->return404(); } // Cache for 30 minutes @@ -149,6 +165,12 @@ class AvatarController extends Controller { return $resp; } + private function return404(): Http\Response { + $resp = new Http\Response(); + $resp->setStatus(Http::STATUS_NOT_FOUND); + return $resp; + } + /** * @NoAdminRequired *