leonardo/yii2-usuario
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed profile page being globally open by anyone by default

Browse Source
This commit is contained in:
tonis
2024-03-08 13:40:14 +02:00
parent 29a878fa4f
commit 5c0d050d24
6 changed files with 191 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/install/configuration-options.md
View File

@ -241,6 +241,15 @@ simple backends with static administrators that won't change throughout time.
Configures the permission name for `administrators`. See [AuthHelper](../../src/User/Helper/AuthHelper.php).
#### profileVisibility (type: `integer`, default:`0` (ProfileController::PROFILE_VISIBILITY_OWNER))
Configures to whom users 'profile/show' (public profile) page is shown. Constant values are defined in
[ProfileController](../../src/User/Controller/ProfileController.php) as constants. The visibility levels are:
- `0` (ProfileController::PROFILE_VISIBILITY_OWNER): The users profile page is shown ONLY to user itself, the owner of the profile.
- `1` (ProfileController::PROFILE_VISIBILITY_ADMIN): The users profile is shown ONLY to user itself (owner) AND users defined by module as admins.
- `2` (ProfileController::PROFILE_VISIBILITY_USERS): Any users profile page is shown to any other non-guest user.
- `3` (ProfileController::PROFILE_VISIBILITY_PUBLIC): Any user profile views are globally public and visible to anyone (including guests).
#### prefix (type: `string`, default: `user`)
Configures the URL prefix for the module.

37
src/User/Controller/ProfileController.php
View File

@ -25,6 +25,15 @@ class ProfileController extends Controller
{
use ModuleAwareTrait;
/** @var int will allow only profile owner */
const PROFILE_VISIBILITY_OWNER = 0;
/** @var int will allow profile owner and admin users */
const PROFILE_VISIBILITY_ADMIN = 1;
/** @var int will allow any logged-in user */
const PROFILE_VISIBILITY_USERS = 2;
/** @var int will allow anyone, including gusets */
public const PROFILE_VISIBILITY_PUBLIC = 3;
protected $profileQuery;
/**
@ -73,10 +82,32 @@ class ProfileController extends Controller
public function actionShow($id)
{
$user = Yii::$app->user;
/** @var User $identity */
$id = (int) $id;
/** @var ?User $identity */
$identity = $user->getIdentity();
if($user->getId() != $id && $this->module->disableProfileViewsForRegularUsers && !$identity->getIsAdmin()) {
throw new ForbiddenHttpException();
switch($this->module->profileVisibility) {
case static::PROFILE_VISIBILITY_OWNER:
if($identity === null || $id !== $user->getId()) {
throw new ForbiddenHttpException("1");
}
break;
case static::PROFILE_VISIBILITY_ADMIN:
if($id === $user->getId() || ($identity !== null && $identity->getIsAdmin())) {
break;
}
throw new ForbiddenHttpException();
case static::PROFILE_VISIBILITY_USERS:
if((!$user->getIsGuest())) {
break;
}
throw new ForbiddenHttpException();
case static::PROFILE_VISIBILITY_PUBLIC:
break;
default:
throw new ForbiddenHttpException();
}
$profile = $this->profileQuery->whereUserId($id)->one();

7
src/User/Module.php
View File

@ -12,6 +12,7 @@
namespace Da\User;
use Da\User\Contracts\MailChangeStrategyInterface;
use Da\User\Controller\ProfileController;
use Da\User\Filter\AccessRuleFilter;
use Yii;
use yii\base\Module as BaseModule;
@ -181,6 +182,12 @@ class Module extends BaseModule
* @var string the administrator permission name
*/
public $administratorPermissionName;
/**
* @var int $profileVisibility Defines the level of user's profile page visibility.
* Defaults to ProfileController::PROFILE_VISIBILITY_OWNER meaning no-one except the user itself can view
* the profile. @see ProfileController constants for prssible options
*/
public $profileVisibility = ProfileController::PROFILE_VISIBILITY_OWNER;
/**
* @var string the route prefix
*/

4
tests/_fixtures/data/profile.php
View File

@ -7,4 +7,8 @@ return [
'user_id' => 1,
'name' => 'John Doe',
],
'seconduser' => [
'user_id' => 9,
'name' => 'John Doe 2',
],
];

28
tests/_fixtures/data/user.php
View File

@ -78,7 +78,7 @@ return [
'username' => 'user2fa',
'email' => 'user2faenabled@example.com',
'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui',
'auth_key' => '39HU0m5lpjWtqstFVGFjj6lFb7UZDeRq',
'auth_key' => '08aff8636535eb934ae7aa205254ac6b',
'auth_tf_key' => '',
'auth_tf_enabled' => true,
'auth_tf_type' => 'google-authenticator',
@ -87,4 +87,30 @@ return [
'confirmed_at' => $time,
'gdpr_consent' => false,
],
'admin' => [
'id' => 8,
'username' => 'admin',
'email' => 'admin@example.com',
'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui',
'auth_key' => '39HU0m5lpjWtqstFVGFjj6lFb7UZDeRq',
'auth_tf_key' => '',
'auth_tf_enabled' => false,
'created_at' => $time,
'updated_at' => $time,
'confirmed_at' => $time,
'gdpr_consent' => false,
],
'seconduser' => [
'id' => 9,
'username' => 'seconduser',
'email' => 'seconduser@example.com',
'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui',
'auth_key' => '776960890cec5ac53525f0e910716f5a',
'auth_tf_key' => '',
'auth_tf_enabled' => false,
'created_at' => $time,
'updated_at' => $time,
'confirmed_at' => $time,
'gdpr_consent' => false,
],
];

110
tests/functional/ProfileCept.php Normal file
View File

@ -0,0 +1,110 @@
<?php
/**
* @var Codeception\Scenario
*/
use tests\_fixtures\ProfileFixture;
use tests\_fixtures\UserFixture;
$I = new FunctionalTester($scenario);
$I->haveFixtures([
'user' => UserFixture::class,
'profile' => ProfileFixture::class
]);
$user = $I->grabFixture('user', 'user');
$secondUser = $I->grabFixture('user', 'seconduser');
$adminUser = $I->grabFixture('user', 'admin');
$I->wantTo('Ensure that profile profile pages are shown only to when user has correct permissions and else forbidden');
Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_OWNER;
Yii::$app->getModule('user')->administrators = ['admin'];
$I->amLoggedInAs($user);
$I->amGoingTo('try to open users own profile page');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
$I->amGoingTo('Profile visibility::OWNER: try to open another users profile page');
$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
Yii::$app->user->logout();
$I->amGoingTo('Profile visibility::OWNER: try to open users profile page as guest');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_ADMIN;
$I->amLoggedInAs($user);
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open users own profile page');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open another users profile page as regular user');
$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
$I->amLoggedInAs($adminUser);
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open another users profile page as admin');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
Yii::$app->user->logout();
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open users profile page as guest');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_USERS;
$I->amLoggedInAs($user);
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open users own profile page');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open another users profile page as regular user');
$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
$I->amLoggedInAs($adminUser);
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open another users profile page as admin');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
Yii::$app->user->logout();
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open users profile page as guest');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_PUBLIC;
Yii::$app->user->logout();
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_PUBLIC: try to open users profile page as guest');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');