From 2bd0cc77b6db88e56c63ea7df9046760b978b684 Mon Sep 17 00:00:00 2001 From: Youen Date: Fri, 25 Aug 2023 11:03:02 +0200 Subject: [PATCH] Fixed access rights to user locations --- src/Api/Controller/ListUserLocationsController.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/Api/Controller/ListUserLocationsController.php b/src/Api/Controller/ListUserLocationsController.php index 59e6619..acb0949 100644 --- a/src/Api/Controller/ListUserLocationsController.php +++ b/src/Api/Controller/ListUserLocationsController.php @@ -58,7 +58,9 @@ class ListUserLocationsController extends AbstractListController $actor = RequestUtil::getActor($request); - $actor->assertCan('searchUsers'); + // We do not limit discovery of users in this method, because we only reveal those who have accepted to appear on the global map (they have defined a location in their profile) + // Also, this method only returns attributes related to the map (like username and location) + //$actor->assertCan('searchUsers'); if (! $actor->hasPermission('user.viewLastSeenAt')) { // If a user cannot see everyone's last online date, we prevent them from sorting by it @@ -77,11 +79,13 @@ class ListUserLocationsController extends AbstractListController $criteria = new QueryCriteria($actor, $filters, $sort, $sortIsDefault); $criteria->mustHaveLocation = true; - if (array_key_exists('q', $filters)) { + + // As of now, search is disabled, because in current implementation it could disclose users who do not want to appear on the map (no location) + /*if (array_key_exists('q', $filters)) { $results = $this->searcher->search($criteria, $limit, $offset); - } else { + } else {*/ $results = $this->filterer->filter($criteria, $limit, $offset); - } + //} $document->addPaginationLinks( $this->url->to('api')->route('user-locations.index'),