fixed profile page being globally open by anyone by default
This commit is contained in:
		| @ -25,6 +25,15 @@ class ProfileController extends Controller | ||||
| { | ||||
|     use ModuleAwareTrait; | ||||
|  | ||||
|     /** @var int will allow only profile owner */ | ||||
|     const PROFILE_VISIBILITY_OWNER = 0; | ||||
|     /** @var int will allow profile owner and admin users */ | ||||
|     const PROFILE_VISIBILITY_ADMIN = 1; | ||||
|     /** @var int will allow any logged-in user */ | ||||
|     const PROFILE_VISIBILITY_USERS = 2; | ||||
|     /** @var int will allow anyone, including gusets */ | ||||
|     public const PROFILE_VISIBILITY_PUBLIC = 3; | ||||
|  | ||||
|     protected $profileQuery; | ||||
|  | ||||
|     /** | ||||
| @ -73,10 +82,32 @@ class ProfileController extends Controller | ||||
|     public function actionShow($id) | ||||
|     { | ||||
|         $user = Yii::$app->user; | ||||
|         /** @var User $identity */ | ||||
|         $id = (int) $id; | ||||
|  | ||||
|         /** @var ?User $identity */ | ||||
|         $identity = $user->getIdentity(); | ||||
|         if($user->getId() != $id && $this->module->disableProfileViewsForRegularUsers && !$identity->getIsAdmin()) { | ||||
|             throw new ForbiddenHttpException(); | ||||
|  | ||||
|         switch($this->module->profileVisibility) { | ||||
|             case static::PROFILE_VISIBILITY_OWNER: | ||||
|                 if($identity === null || $id !== $user->getId()) { | ||||
|                     throw new ForbiddenHttpException("1"); | ||||
|                 } | ||||
|                 break; | ||||
|             case static::PROFILE_VISIBILITY_ADMIN: | ||||
|                 if($id === $user->getId() || ($identity !== null && $identity->getIsAdmin())) { | ||||
|                     break; | ||||
|                 } | ||||
|                 throw new ForbiddenHttpException(); | ||||
|             case static::PROFILE_VISIBILITY_USERS: | ||||
|                 if((!$user->getIsGuest())) { | ||||
|                     break; | ||||
|                 } | ||||
|                 throw new ForbiddenHttpException(); | ||||
|             case static::PROFILE_VISIBILITY_PUBLIC: | ||||
|                 break; | ||||
|             default: | ||||
|                 throw new ForbiddenHttpException(); | ||||
|  | ||||
|         } | ||||
|  | ||||
|         $profile = $this->profileQuery->whereUserId($id)->one(); | ||||
|  | ||||
| @ -12,6 +12,7 @@ | ||||
| namespace Da\User; | ||||
|  | ||||
| use Da\User\Contracts\MailChangeStrategyInterface; | ||||
| use Da\User\Controller\ProfileController; | ||||
| use Da\User\Filter\AccessRuleFilter; | ||||
| use Yii; | ||||
| use yii\base\Module as BaseModule; | ||||
| @ -181,6 +182,12 @@ class Module extends BaseModule | ||||
|      * @var string the administrator permission name | ||||
|      */ | ||||
|     public $administratorPermissionName; | ||||
|     /** | ||||
|      * @var int $profileVisibility Defines the level of user's profile page visibility. | ||||
|      *          Defaults to ProfileController::PROFILE_VISIBILITY_OWNER meaning no-one except the user itself can view | ||||
|      *          the profile. @see ProfileController constants for prssible options | ||||
|      */ | ||||
|     public $profileVisibility = ProfileController::PROFILE_VISIBILITY_OWNER; | ||||
|     /** | ||||
|      * @var string the route prefix | ||||
|      */ | ||||
|  | ||||
		Reference in New Issue
	
	Block a user