added option to disable viewing any other user's profile for non-admin users

2024-03-08 09:29:23 +02:00
parent 780feea552
commit 804e74a3d7
2 changed files with 16 additions and 0 deletions
--- a/src/User/Controller/ProfileController.php
+++ b/src/User/Controller/ProfileController.php
@ -11,15 +11,20 @@

 namespace Da\User\Controller;

+use Da\User\Model\User;
 use Da\User\Query\ProfileQuery;
+use Da\User\Traits\ModuleAwareTrait;
 use Yii;
 use yii\base\Module;
 use yii\filters\AccessControl;
 use yii\web\Controller;
+use yii\web\ForbiddenHttpException;
 use yii\web\NotFoundHttpException;

 class ProfileController extends Controller
 {
+    use ModuleAwareTrait;
+
    protected $profileQuery;

    /**
@ -67,6 +72,13 @@ class ProfileController extends Controller

    public function actionShow($id)
    {
+        $user = Yii::$app->user;
+        /** @var User $identity */
+        $identity = $user->getIdentity();
+        if($user->getId() != $id && $this->module->disableProfileViewsForRegularUsers && !$identity->getIsAdmin()) {
+            throw new ForbiddenHttpException();
+        }
+
        $profile = $this->profileQuery->whereUserId($id)->one();

        if ($profile === null) {
--- a/src/User/Module.php
+++ b/src/User/Module.php
@ -241,6 +241,10 @@ class Module extends BaseModule
     * @var boolean whether to disable IP logging into user table
     */
    public $disableIpLogging = false;
+    /**
+     * @var boolean whether to disable viewing any user's profile for non-admin users
+     */
+    public $disableProfileViewsForRegularUsers = false;
    /**
     * @var array Minimum requirements when a new password is automatically generated.
     *            Array structure: `requirement => minimum number characters`.