Fixed access rights to user locations

src/Api/Controller/ListUserLocationsController.php

@@ -58,7 +58,9 @@ class ListUserLocationsController extends AbstractListController
 
 		$actor = RequestUtil::getActor($request);
 		
-		$actor->assertCan('searchUsers');
+		// We do not limit discovery of users in this method, because we only reveal those who have accepted to appear on the global map (they have defined a location in their profile)
+		// Also, this method only returns attributes related to the map (like username and location)
+		//$actor->assertCan('searchUsers');
 
 		if (! $actor->hasPermission('user.viewLastSeenAt')) {
 			// If a user cannot see everyone's last online date, we prevent them from sorting by it
@@ -77,11 +79,13 @@ class ListUserLocationsController extends AbstractListController
 
 		$criteria = new QueryCriteria($actor, $filters, $sort, $sortIsDefault);
 		$criteria->mustHaveLocation = true;
-		if (array_key_exists('q', $filters)) {
+		
+		// As of now, search is disabled, because in current implementation it could disclose users who do not want to appear on the map (no location)
+		/*if (array_key_exists('q', $filters)) {
 			$results = $this->searcher->search($criteria, $limit, $offset);
-		} else {
+		} else {*/
 			$results = $this->filterer->filter($criteria, $limit, $offset);
-		}
+		//}
 
 		$document->addPaginationLinks(
 			$this->url->to('api')->route('user-locations.index'),