From 253d33ef7dcfc3df50a5e4245fb93e9a84098515 Mon Sep 17 00:00:00 2001 From: Pierre HUBERT Date: Fri, 29 May 2020 18:26:45 +0200 Subject: [PATCH] Validate that a user can see another user's page --- src/controllers/user_controller.rs | 3 +++ src/helpers/user_helper.rs | 33 ++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/src/controllers/user_controller.rs b/src/controllers/user_controller.rs index 0c8589a..2caa533 100644 --- a/src/controllers/user_controller.rs +++ b/src/controllers/user_controller.rs @@ -50,6 +50,9 @@ pub fn get_multiple(request: &mut HttpRequestHandler) -> RequestResult { pub fn get_advanced_info(request: &mut HttpRequestHandler) -> RequestResult { let user_id = request.post_user_id("userID")?; + if !user_helper::can_see_user_page(request.user_id_opt().unwrap_or(0), user_id)? { + request.forbidden("You are not allowed to see this user page!".to_string())?; + } request.success("get user info") } \ No newline at end of file diff --git a/src/helpers/user_helper.rs b/src/helpers/user_helper.rs index cbf2687..c156dd2 100644 --- a/src/helpers/user_helper.rs +++ b/src/helpers/user_helper.rs @@ -2,6 +2,8 @@ use crate::data::error::ResultBoxError; use crate::data::user::{User, UserID, UserPageStatus, AccountImageVisibility}; use crate::helpers::database; use crate::constants::database_tables_names::USERS_TABLE; +use crate::data::user::UserPageStatus::PUBLIC; +use crate::helpers::friends_helper::are_friend; /// User helper /// @@ -59,4 +61,35 @@ pub fn exists(id: UserID) -> ResultBoxError { Ok(database::QueryInfo::new(USERS_TABLE) .cond_i64("ID", id) .exec_count()? > 0) +} + +/// Check if a given user can see another user's page +pub fn can_see_user_page(user_id: UserID, target_user: UserID) -> ResultBoxError { + if user_id == target_user { + return Ok(true); + } + + let visibility = find_user_by_id(target_user)?.status; + + // Open page = OK + if visibility == UserPageStatus::OPEN { + return Ok(true); + } + + // The user need to be signed in + if user_id <= 0 { + return Ok(false); + } + + // Public Page = OK for signed in users + if visibility == PUBLIC { + return Ok(true); + } + + // Check if the users are friends + if !are_friend(user_id, target_user)? { + return Ok(false); + } + + return Ok(true); } \ No newline at end of file