1
0
mirror of https://gitlab.com/comunic/comunicapiv3 synced 2024-11-26 15:29:21 +00:00

Validate that a user can see another user's page

This commit is contained in:
Pierre HUBERT 2020-05-29 18:26:45 +02:00
parent cf2d9606d9
commit 253d33ef7d
2 changed files with 36 additions and 0 deletions

View File

@ -50,6 +50,9 @@ pub fn get_multiple(request: &mut HttpRequestHandler) -> RequestResult {
pub fn get_advanced_info(request: &mut HttpRequestHandler) -> RequestResult { pub fn get_advanced_info(request: &mut HttpRequestHandler) -> RequestResult {
let user_id = request.post_user_id("userID")?; let user_id = request.post_user_id("userID")?;
if !user_helper::can_see_user_page(request.user_id_opt().unwrap_or(0), user_id)? {
request.forbidden("You are not allowed to see this user page!".to_string())?;
}
request.success("get user info") request.success("get user info")
} }

View File

@ -2,6 +2,8 @@ use crate::data::error::ResultBoxError;
use crate::data::user::{User, UserID, UserPageStatus, AccountImageVisibility}; use crate::data::user::{User, UserID, UserPageStatus, AccountImageVisibility};
use crate::helpers::database; use crate::helpers::database;
use crate::constants::database_tables_names::USERS_TABLE; use crate::constants::database_tables_names::USERS_TABLE;
use crate::data::user::UserPageStatus::PUBLIC;
use crate::helpers::friends_helper::are_friend;
/// User helper /// User helper
/// ///
@ -60,3 +62,34 @@ pub fn exists(id: UserID) -> ResultBoxError<bool> {
.cond_i64("ID", id) .cond_i64("ID", id)
.exec_count()? > 0) .exec_count()? > 0)
} }
/// Check if a given user can see another user's page
pub fn can_see_user_page(user_id: UserID, target_user: UserID) -> ResultBoxError<bool> {
if user_id == target_user {
return Ok(true);
}
let visibility = find_user_by_id(target_user)?.status;
// Open page = OK
if visibility == UserPageStatus::OPEN {
return Ok(true);
}
// The user need to be signed in
if user_id <= 0 {
return Ok(false);
}
// Public Page = OK for signed in users
if visibility == PUBLIC {
return Ok(true);
}
// Check if the users are friends
if !are_friend(user_id, target_user)? {
return Ok(false);
}
return Ok(true);
}