mirror of
https://gitlab.com/comunic/comunicapiv3
synced 2024-11-26 15:29:21 +00:00
Validate that a user can see another user's page
This commit is contained in:
parent
cf2d9606d9
commit
253d33ef7d
@ -50,6 +50,9 @@ pub fn get_multiple(request: &mut HttpRequestHandler) -> RequestResult {
|
|||||||
pub fn get_advanced_info(request: &mut HttpRequestHandler) -> RequestResult {
|
pub fn get_advanced_info(request: &mut HttpRequestHandler) -> RequestResult {
|
||||||
let user_id = request.post_user_id("userID")?;
|
let user_id = request.post_user_id("userID")?;
|
||||||
|
|
||||||
|
if !user_helper::can_see_user_page(request.user_id_opt().unwrap_or(0), user_id)? {
|
||||||
|
request.forbidden("You are not allowed to see this user page!".to_string())?;
|
||||||
|
}
|
||||||
|
|
||||||
request.success("get user info")
|
request.success("get user info")
|
||||||
}
|
}
|
@ -2,6 +2,8 @@ use crate::data::error::ResultBoxError;
|
|||||||
use crate::data::user::{User, UserID, UserPageStatus, AccountImageVisibility};
|
use crate::data::user::{User, UserID, UserPageStatus, AccountImageVisibility};
|
||||||
use crate::helpers::database;
|
use crate::helpers::database;
|
||||||
use crate::constants::database_tables_names::USERS_TABLE;
|
use crate::constants::database_tables_names::USERS_TABLE;
|
||||||
|
use crate::data::user::UserPageStatus::PUBLIC;
|
||||||
|
use crate::helpers::friends_helper::are_friend;
|
||||||
|
|
||||||
/// User helper
|
/// User helper
|
||||||
///
|
///
|
||||||
@ -60,3 +62,34 @@ pub fn exists(id: UserID) -> ResultBoxError<bool> {
|
|||||||
.cond_i64("ID", id)
|
.cond_i64("ID", id)
|
||||||
.exec_count()? > 0)
|
.exec_count()? > 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Check if a given user can see another user's page
|
||||||
|
pub fn can_see_user_page(user_id: UserID, target_user: UserID) -> ResultBoxError<bool> {
|
||||||
|
if user_id == target_user {
|
||||||
|
return Ok(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
let visibility = find_user_by_id(target_user)?.status;
|
||||||
|
|
||||||
|
// Open page = OK
|
||||||
|
if visibility == UserPageStatus::OPEN {
|
||||||
|
return Ok(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
// The user need to be signed in
|
||||||
|
if user_id <= 0 {
|
||||||
|
return Ok(false);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Public Page = OK for signed in users
|
||||||
|
if visibility == PUBLIC {
|
||||||
|
return Ok(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if the users are friends
|
||||||
|
if !are_friend(user_id, target_user)? {
|
||||||
|
return Ok(false);
|
||||||
|
}
|
||||||
|
|
||||||
|
return Ok(true);
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user