From 804e74a3d74f004c2cb57fce09fd86c093e296cf Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 09:29:23 +0200 Subject: [PATCH 1/3] added option to disable viewing any other user's profile for non-admin users --- src/User/Controller/ProfileController.php | 12 ++++++++++++ src/User/Module.php | 4 ++++ 2 files changed, 16 insertions(+) diff --git a/src/User/Controller/ProfileController.php b/src/User/Controller/ProfileController.php index 2e99fe1f..2a9e66b9 100644 --- a/src/User/Controller/ProfileController.php +++ b/src/User/Controller/ProfileController.php @@ -11,15 +11,20 @@ namespace Da\User\Controller; +use Da\User\Model\User; use Da\User\Query\ProfileQuery; +use Da\User\Traits\ModuleAwareTrait; use Yii; use yii\base\Module; use yii\filters\AccessControl; use yii\web\Controller; +use yii\web\ForbiddenHttpException; use yii\web\NotFoundHttpException; class ProfileController extends Controller { + use ModuleAwareTrait; + protected $profileQuery; /** @@ -67,6 +72,13 @@ public function actionIndex() public function actionShow($id) { + $user = Yii::$app->user; + /** @var User $identity */ + $identity = $user->getIdentity(); + if($user->getId() != $id && $this->module->disableProfileViewsForRegularUsers && !$identity->getIsAdmin()) { + throw new ForbiddenHttpException(); + } + $profile = $this->profileQuery->whereUserId($id)->one(); if ($profile === null) { diff --git a/src/User/Module.php b/src/User/Module.php index d8b4e03d..a27360b6 100755 --- a/src/User/Module.php +++ b/src/User/Module.php @@ -241,6 +241,10 @@ class Module extends BaseModule * @var boolean whether to disable IP logging into user table */ public $disableIpLogging = false; + /** + * @var boolean whether to disable viewing any user's profile for non-admin users + */ + public $disableProfileViewsForRegularUsers = false; /** * @var array Minimum requirements when a new password is automatically generated. * Array structure: `requirement => minimum number characters`. From 22f4795093f60cf406c152284860127f386b935c Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 09:34:11 +0200 Subject: [PATCH 2/3] added changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f922f622..bf6d30e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - Fix: Social Network Auth (eluhr) - Enh #532: /user/registration/register now shows form validation errors - Enh: Allow/suggest new v3 releases of 2amigos 2fa dependencies: 2fa-library, qrcode-library (TonisOrmisson) +- Enh: Added option to disable viewing any other user's profile for non-admin users (TonisOrmisson) ## 1.6.2 Jan 4th, 2024 From 25c7b90aade50f317d38c92c7188c6e6dd9616eb Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 10:05:05 +0200 Subject: [PATCH 3/3] added docs --- docs/install/configuration-options.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/install/configuration-options.md b/docs/install/configuration-options.md index ba775e1c..ed86a61e 100755 --- a/docs/install/configuration-options.md +++ b/docs/install/configuration-options.md @@ -313,6 +313,11 @@ Set to `true` to restrict user assignments to roles only. If `true` registration and last login IPs are not logged into users table, instead a dummy 127.0.0.1 is used + +#### disableProfileViewsForRegularUsers (type: `boolean`, default: `false`) + +If `true` only admin users have access to view any other user's profile. By default any user can see any other users public profile page. + #### minPasswordRequirements (type: `array`, default: `['lower' => 1, 'digit' => 1, 'upper' => 1]`) Minimum requirements when a new password is automatically generated.