Browse Source

Fixed access rights to user locations

main
Youen 1 year ago
parent
commit
2bd0cc77b6
  1. 12
      src/Api/Controller/ListUserLocationsController.php

12
src/Api/Controller/ListUserLocationsController.php

@ -58,7 +58,9 @@ class ListUserLocationsController extends AbstractListController
$actor = RequestUtil::getActor($request); $actor = RequestUtil::getActor($request);
$actor->assertCan('searchUsers'); // We do not limit discovery of users in this method, because we only reveal those who have accepted to appear on the global map (they have defined a location in their profile)
// Also, this method only returns attributes related to the map (like username and location)
//$actor->assertCan('searchUsers');
if (! $actor->hasPermission('user.viewLastSeenAt')) { if (! $actor->hasPermission('user.viewLastSeenAt')) {
// If a user cannot see everyone's last online date, we prevent them from sorting by it // If a user cannot see everyone's last online date, we prevent them from sorting by it
@ -77,11 +79,13 @@ class ListUserLocationsController extends AbstractListController
$criteria = new QueryCriteria($actor, $filters, $sort, $sortIsDefault); $criteria = new QueryCriteria($actor, $filters, $sort, $sortIsDefault);
$criteria->mustHaveLocation = true; $criteria->mustHaveLocation = true;
if (array_key_exists('q', $filters)) {
// As of now, search is disabled, because in current implementation it could disclose users who do not want to appear on the map (no location)
/*if (array_key_exists('q', $filters)) {
$results = $this->searcher->search($criteria, $limit, $offset); $results = $this->searcher->search($criteria, $limit, $offset);
} else { } else {*/
$results = $this->filterer->filter($criteria, $limit, $offset); $results = $this->filterer->filter($criteria, $limit, $offset);
} //}
$document->addPaginationLinks( $document->addPaginationLinks(
$this->url->to('api')->route('user-locations.index'), $this->url->to('api')->route('user-locations.index'),

Loading…
Cancel
Save