Honor avatar visibility settings

Fixes #5456
Only when an avatar is set to public should we show it to the public.
For now this has an open question as to how to solve federated avatars.
But I assume a dedicated paramter or endpooint would make sense there.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2019-10-28 13:48:34 +01:00
parent 921f748996
commit 0bd1378f81
No known key found for this signature in database
GPG Key ID: F941078878347C0C
1 changed files with 26 additions and 4 deletions

View File

@ -28,6 +28,7 @@
namespace OC\Core\Controller; namespace OC\Core\Controller;
use OC\AppFramework\Utility\TimeFactory; use OC\AppFramework\Utility\TimeFactory;
use OCP\Accounts\IAccountManager;
use OCP\AppFramework\Controller; use OCP\AppFramework\Controller;
use OCP\AppFramework\Http; use OCP\AppFramework\Http;
use OCP\AppFramework\Http\DataDisplayResponse; use OCP\AppFramework\Http\DataDisplayResponse;
@ -76,6 +77,8 @@ class AvatarController extends Controller {
/** @var TimeFactory */ /** @var TimeFactory */
protected $timeFactory; protected $timeFactory;
/** @var IAccountManager */
private $accountManager;
/** /**
* @param string $appName * @param string $appName
@ -98,7 +101,8 @@ class AvatarController extends Controller {
IRootFolder $rootFolder, IRootFolder $rootFolder,
ILogger $logger, ILogger $logger,
$userId, $userId,
TimeFactory $timeFactory) { TimeFactory $timeFactory,
IAccountManager $accountManager) {
parent::__construct($appName, $request); parent::__construct($appName, $request);
$this->avatarManager = $avatarManager; $this->avatarManager = $avatarManager;
@ -109,6 +113,7 @@ class AvatarController extends Controller {
$this->logger = $logger; $this->logger = $logger;
$this->userId = $userId; $this->userId = $userId;
$this->timeFactory = $timeFactory; $this->timeFactory = $timeFactory;
$this->accountManager = $accountManager;
} }
@ -130,6 +135,19 @@ class AvatarController extends Controller {
$size = 64; $size = 64;
} }
$user = $this->userManager->get($userId);
if ($user === null) {
return $this->return404();
}
$account = $this->accountManager->getAccount($user);
$scope = $account->getProperty(IAccountManager::PROPERTY_AVATAR)->getScope();
if ($scope !== IAccountManager::VISIBILITY_PUBLIC && $this->userId === null) {
// Public avatar access is not allowed
return $this->return404();
}
try { try {
$avatar = $this->avatarManager->getAvatar($userId); $avatar = $this->avatarManager->getAvatar($userId);
$avatarFile = $avatar->getFile($size); $avatarFile = $avatar->getFile($size);
@ -139,9 +157,7 @@ class AvatarController extends Controller {
['Content-Type' => $avatarFile->getMimeType()] ['Content-Type' => $avatarFile->getMimeType()]
); );
} catch (\Exception $e) { } catch (\Exception $e) {
$resp = new Http\Response(); return $this->return404();
$resp->setStatus(Http::STATUS_NOT_FOUND);
return $resp;
} }
// Cache for 30 minutes // Cache for 30 minutes
@ -149,6 +165,12 @@ class AvatarController extends Controller {
return $resp; return $resp;
} }
private function return404(): Http\Response {
$resp = new Http\Response();
$resp->setStatus(Http::STATUS_NOT_FOUND);
return $resp;
}
/** /**
* @NoAdminRequired * @NoAdminRequired
* *