Add new v2-private account scope

Added new v2-private account manager scope that restricts the scope further by excluding public link access. Avatars with v2-private account scope are now showing the guest avatar instead of the real avatar. Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2021-03-22 12:08:53 +01:00 · 2021-03-22 12:08:53 +01:00 · f45f826b52
parent d6156b970b
commit f45f826b52
6 changed files with 185 additions and 13 deletions
--- a/apps/settings/js/federationscopemenu.js
+++ b/apps/settings/js/federationscopemenu.js
@ -15,6 +15,8 @@
 	 * Construct a new FederationScopeMenu instance
 	 * @constructs FederationScopeMenu
 	 * @memberof OC.Settings
+	 * @param {object} options
+	 * @param {array.<string>} [options.excludedScopes] array of excluded scopes
 	 */
 	var FederationScopeMenu = OC.Backbone.View.extend({
 		tagName: 'div',
@ -26,8 +28,15 @@
 			this.field = options.field;
 			this._scopes = [
 				{
-					name: 'private',
+					name: 'v2-private',
 					displayName: t('settings', 'Private'),
+					tooltip: t('settings', "Don't show via public link"),
+					iconClass: 'icon-password',
+					active: false
+				},
+				{
+					name: 'private',
+					displayName: t('settings', 'Local'),
 					tooltip: t('settings', "Don't synchronize to servers"),
 					iconClass: 'icon-password',
 					active: false
@ -41,12 +50,18 @@
 				},
 				{
 					name: 'public',
-					displayName: t('settings', 'Public'),
+					displayName: t('settings', 'Published'),
 					tooltip: t('settings', 'Synchronize to trusted servers and the global and public address book'),
 					iconClass: 'icon-link',
 					active: false
 				}
 			];
+
+			if (options.excludedScopes) {
+				this._scopes = this._scopes.filter(function(scopeEntry) {
+					return options.excludedScopes.indexOf(scopeEntry.name) === -1;
+				})
+			}
 		},

 		/**
@ -106,15 +121,18 @@
 			}

 			switch (currentlyActiveValue) {
-				case 'private':
+				case 'v2-private':
 					this._scopes[0].active = true;
 					break;
-				case 'contacts':
+				case 'private':
 					this._scopes[1].active = true;
 					break;
-				case 'public':
+				case 'contacts':
 					this._scopes[2].active = true;
 					break;
+				case 'public':
+					this._scopes[3].active = true;
+					break;
 			}

 			this.render();
--- a/apps/settings/js/federationsettingsview.js
+++ b/apps/settings/js/federationsettingsview.js
@ -61,9 +61,26 @@

 		render: function() {
 			var self = this;
+			var fieldsWithV2Private = [
+				'avatar',
+				'phone',
+				'twitter',
+				'website',
+				'address',
+			];
+
 			_.each(this._inputFields, function(field) {
 				var $icon = self.$('#' + field + 'form h3 > .federation-menu');
-				var scopeMenu = new OC.Settings.FederationScopeMenu({field: field});
+				var excludedScopes = null
+
+				if (fieldsWithV2Private.indexOf(field) === -1) {
+					excludedScopes = ['v2-private']
+				}
+
+				var scopeMenu = new OC.Settings.FederationScopeMenu({
+					field: field,
+					excludedScopes: excludedScopes,
+				});

 				self.listenTo(scopeMenu, 'select:scope', function(scope) {
 					self._onScopeChanged(field, scope);
@ -208,6 +225,7 @@

 			switch (scope) {
 				case 'private':
+				case 'v2-private':
 					$icon.addClass('icon-password');
 					$icon.removeClass('hidden');
 					break;
--- a/lib/private/Avatar/AvatarManager.php
+++ b/lib/private/Avatar/AvatarManager.php
@ -36,6 +36,7 @@ namespace OC\Avatar;

 use OC\User\Manager;
 use OC\User\NoUserException;
+use OCP\Accounts\IAccountManager;
 use OCP\Files\IAppData;
 use OCP\Files\NotFoundException;
 use OCP\Files\NotPermittedException;
@ -44,12 +45,16 @@ use OCP\IAvatarManager;
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\ILogger;
+use OCP\IUserSession;

 /**
 * This class implements methods to access Avatar functionality
 */
 class AvatarManager implements IAvatarManager {

+	/** @var IUserSession */
+	private $userSession;
+
 	/** @var Manager */
 	private $userManager;

@ -65,6 +70,9 @@ class AvatarManager implements IAvatarManager {
 	/** @var IConfig */
 	private $config;

+	/** @var IAccountManager */
+	private $accountManager;
+
 	/**
 	 * AvatarManager constructor.
 	 *
@ -73,18 +81,23 @@ class AvatarManager implements IAvatarManager {
 	 * @param IL10N $l
 	 * @param ILogger $logger
 	 * @param IConfig $config
+	 * @param IUserSession $userSession
 	 */
 	public function __construct(
+			IUserSession $userSession,
 			Manager $userManager,
 			IAppData $appData,
 			IL10N $l,
 			ILogger $logger,
-			IConfig $config) {
+			IConfig $config,
+			IAccountManager $accountManager) {
+		$this->userSession = $userSession;
 		$this->userManager = $userManager;
 		$this->appData = $appData;
 		$this->l = $l;
 		$this->logger = $logger;
 		$this->config = $config;
+		$this->accountManager = $accountManager;
 	}

 	/**
@ -104,6 +117,27 @@ class AvatarManager implements IAvatarManager {
 		// sanitize userID - fixes casing issue (needed for the filesystem stuff that is done below)
 		$userId = $user->getUID();

+		$requestingUser = null;
+		if ($this->userSession !== null) {
+			$requestingUser = $this->userSession->getUser();
+		}
+
+		$canShowRealAvatar = true;
+
+		// requesting in public page
+		if ($requestingUser === null) {
+			$account = $this->accountManager->getAccount($user);
+			$avatarProperties = $account->getProperty(IAccountManager::PROPERTY_AVATAR);
+			$avatarScope = $avatarProperties->getScope();
+
+			// v2-private scope hides the avatar from public access
+			if ($avatarScope === IAccountManager::SCOPE_PRIVATE) {
+				// FIXME: guest avatar is re-generated every time, use a cache instead
+				// see how UserAvatar caches the generated one
+				return $this->getGuestAvatar($userId);
+			}
+		}
+
 		try {
 			$folder = $this->appData->getFolder($userId);
 		} catch (NotFoundException $e) {
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@ -720,11 +720,13 @@ class Server extends ServerContainer implements IServerContainer {

 		$this->registerService(AvatarManager::class, function (Server $c) {
 			return new AvatarManager(
+				$c->get(IUserSession::class),
 				$c->get(\OC\User\Manager::class),
 				$c->getAppDataDir('avatar'),
 				$c->getL10N('lib'),
 				$c->get(ILogger::class),
-				$c->get(\OCP\IConfig::class)
+				$c->get(\OCP\IConfig::class),
+				$c->get(IAccountManager::class)
 			);
 		});
 		$this->registerAlias(IAvatarManager::class, AvatarManager::class);
--- a/lib/public/Accounts/IAccountManager.php
+++ b/lib/public/Accounts/IAccountManager.php
@ -38,11 +38,54 @@ use OCP\IUser;
 */
 interface IAccountManager {

-	/** nobody can see my account details */
+	/**
+	 * Contact details visible locally only
+	 *
+	 * @since 21.0.1
+	 */
+	public const SCOPE_PRIVATE = 'v2-private';
+
+	/**
+	 * Contact details visible locally and through public link access on local instance
+	 *
+	 * @since 21.0.1
+	 */
+	public const SCOPE_LOCAL = 'private';
+
+	/**
+	 * Contact details visible locally, through public link access and on trusted federated servers.
+	 *
+	 * @since 21.0.1
+	 */
+	public const SCOPE_FEDERATED = 'federated';
+
+	/**
+	 * Contact details visible locally, through public link access, on trusted federated servers
+	 * and published to the public lookup server.
+	 *
+	 * @since 21.0.1
+	 */
+	public const SCOPE_PUBLISHED = 'public';
+
+	/**
+	 * Contact details only visible locally
+	 *
+	 * @deprecated 21.0.1
+	 */
 	public const VISIBILITY_PRIVATE = 'private';
-	/** only contacts, especially trusted servers can see my contact details */
+
+	/**
+	 * Contact details visible on trusted federated servers.
+	 *
+	 * @deprecated 21.0.1
+	 */
 	public const VISIBILITY_CONTACTS_ONLY = 'contacts';
-	/** every body ca see my contact detail, will be published to the lookup server */
+
+	/**
+	 * Contact details visible on trusted federated servers and in the public lookup server.
+	 *
+	 * @deprecated 21.0.1
+	 */
 	public const VISIBILITY_PUBLIC = 'public';

 	public const PROPERTY_AVATAR = 'avatar';
--- a/tests/lib/Avatar/AvatarManagerTest.php
+++ b/tests/lib/Avatar/AvatarManagerTest.php
@ -25,19 +25,26 @@
 namespace Test\Avatar;

 use OC\Avatar\AvatarManager;
+use OC\Avatar\GuestAvatar;
 use OC\Avatar\UserAvatar;
 use OC\User\Manager;
+use OCP\Accounts\IAccount;
+use OCP\Accounts\IAccountManager;
+use OCP\Accounts\IAccountProperty;
 use OCP\Files\IAppData;
 use OCP\Files\SimpleFS\ISimpleFolder;
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\ILogger;
 use OCP\IUser;
+use OCP\IUserSession;

 /**
 * Class AvatarManagerTest
 */
 class AvatarManagerTest extends \Test\TestCase {
+	/** @var IUserSession|\PHPUnit\Framework\MockObject\MockObject */
+	private $userSession;
 	/** @var Manager|\PHPUnit\Framework\MockObject\MockObject */
 	private $userManager;
 	/** @var IAppData|\PHPUnit\Framework\MockObject\MockObject */
@ -48,28 +55,33 @@ class AvatarManagerTest extends \Test\TestCase {
 	private $logger;
 	/** @var IConfig|\PHPUnit\Framework\MockObject\MockObject */
 	private $config;
+	/** @var IAccountManager|\PHPUnit\Framework\MockObject\MockObject */
+	private $accountManager;
 	/** @var AvatarManager | \PHPUnit\Framework\MockObject\MockObject */
 	private $avatarManager;

 	protected function setUp(): void {
 		parent::setUp();

+		$this->userSession = $this->createMock(IUserSession::class);
 		$this->userManager = $this->createMock(Manager::class);
 		$this->appData = $this->createMock(IAppData::class);
 		$this->l10n = $this->createMock(IL10N::class);
 		$this->logger = $this->createMock(ILogger::class);
 		$this->config = $this->createMock(IConfig::class);
+		$this->accountManager = $this->createMock(IAccountManager::class);

 		$this->avatarManager = new AvatarManager(
+			$this->userSession,
 			$this->userManager,
 			$this->appData,
 			$this->l10n,
 			$this->logger,
-			$this->config
+			$this->config,
+			$this->accountManager
 		);
 	}

-
 	public function testGetAvatarInvalidUser() {
 		$this->expectException(\Exception::class);
 		$this->expectExceptionMessage('user does not exist');
@ -84,6 +96,15 @@ class AvatarManagerTest extends \Test\TestCase {
 	}

 	public function testGetAvatarValidUser() {
+		// requesting user
+		$this->userSession->expects($this->once())
+			->method('getUser')
+			->willReturn($this->createMock(IUser::class));
+
+		// we skip account scope check for logged in user
+		$this->accountManager->expects($this->never())
+			->method('getAccount');
+
 		$user = $this->createMock(IUser::class);
 		$user
 			->expects($this->once())
@ -126,4 +147,40 @@ class AvatarManagerTest extends \Test\TestCase {
 		$expected = new UserAvatar($folder, $this->l10n, $user, $this->logger, $this->config);
 		$this->assertEquals($expected, $this->avatarManager->getAvatar('vaLid-USER'));
 	}
+
+	public function testGetAvatarPrivateScope() {
+		$user = $this->createMock(IUser::class);
+		$user
+			->expects($this->once())
+			->method('getUID')
+			->willReturn('valid-user');
+		$this->userManager
+			->expects($this->once())
+			->method('get')
+			->with('valid-user')
+			->willReturn($user);
+		$folder = $this->createMock(ISimpleFolder::class);
+		$this->appData
+			->expects($this->never())
+			->method('getFolder');
+
+		$account = $this->createMock(IAccount::class);
+		$this->accountManager->expects($this->once())
+			->method('getAccount')
+			->with($user)
+			->willReturn($account);
+
+		$property = $this->createMock(IAccountProperty::class);
+		$account->expects($this->once())
+			->method('getProperty')
+			->with(IAccountManager::PROPERTY_AVATAR)
+			->willReturn($property);
+
+		$property->expects($this->once())
+			->method('getScope')
+			->willReturn(IAccountManager::SCOPE_PRIVATE);
+
+		$expected = new GuestAvatar('valid-user', $this->createMock(ILogger::class));
+		$this->assertEquals($expected, $this->avatarManager->getAvatar('valid-user'));
+	}
 }