Validate that a user can see another user's page

src/controllers/user_controller.rs

@@ -50,6 +50,9 @@ pub fn get_multiple(request: &mut HttpRequestHandler) -> RequestResult {
 pub fn get_advanced_info(request: &mut HttpRequestHandler) -> RequestResult {
     let user_id = request.post_user_id("userID")?;
 
+    if !user_helper::can_see_user_page(request.user_id_opt().unwrap_or(0), user_id)? {
+        request.forbidden("You are not allowed to see this user page!".to_string())?;
+    }
 
     request.success("get user info")
 }

src/helpers/user_helper.rs

@@ -2,6 +2,8 @@ use crate::data::error::ResultBoxError;
 use crate::data::user::{User, UserID, UserPageStatus, AccountImageVisibility};
 use crate::helpers::database;
 use crate::constants::database_tables_names::USERS_TABLE;
+use crate::data::user::UserPageStatus::PUBLIC;
+use crate::helpers::friends_helper::are_friend;
 
 /// User helper
 ///
@@ -59,4 +61,35 @@ pub fn exists(id: UserID) -> ResultBoxError<bool> {
     Ok(database::QueryInfo::new(USERS_TABLE)
         .cond_i64("ID", id)
         .exec_count()? > 0)
+}
+
+/// Check if a given user can see another user's page
+pub fn can_see_user_page(user_id: UserID, target_user: UserID) -> ResultBoxError<bool> {
+    if user_id == target_user {
+        return Ok(true);
+    }
+
+    let visibility = find_user_by_id(target_user)?.status;
+
+    // Open page = OK
+    if visibility ==  UserPageStatus::OPEN {
+        return Ok(true);
+    }
+
+    // The user need to be signed in
+    if user_id <= 0 {
+        return Ok(false);
+    }
+
+    // Public Page = OK for signed in users
+    if visibility == PUBLIC {
+        return Ok(true);
+    }
+
+    // Check if the users are friends
+    if !are_friend(user_id, target_user)? {
+        return Ok(false);
+    }
+
+    return Ok(true);
 }