users: add is_visible_to function for checking user visibility to a certain other user
parent
68deff8f60
commit
5d2f4d203b
|
@ -743,6 +743,12 @@ class User(Base):
|
|||
def has_follower(self, user):
|
||||
if not user or self.id == user.id: return False # users can't follow themselves
|
||||
return g.db.query(Follow).filter_by(target_id=self.id, user_id=user.id).one_or_none()
|
||||
|
||||
@lazy
|
||||
def is_visible_to(self, user) -> bool:
|
||||
if not self.is_private: return True
|
||||
if self.id == user.id: return True
|
||||
return user.admin_level >= PERMS['VIEW_PRIVATE_PROFILES'] or user.eye
|
||||
|
||||
@property
|
||||
@lazy
|
||||
|
@ -972,7 +978,6 @@ class User(Base):
|
|||
def can_see_shadowbanned(self):
|
||||
return (self.admin_level >= PERMS['USER_SHADOWBAN']) or self.shadowbanned
|
||||
|
||||
|
||||
@property
|
||||
@lazy
|
||||
def unmutable(self):
|
||||
|
|
|
@ -70,7 +70,7 @@ def searchposts(v):
|
|||
if 'author' in criteria:
|
||||
posts = posts.filter(Submission.ghost == False)
|
||||
author = get_user(criteria['author'], v=v, include_shadowbanned=False)
|
||||
if author.is_private and author.id != v.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye:
|
||||
if not author.is_visible_to(v):
|
||||
if v.client:
|
||||
abort(403, f"@{author.username}'s profile is private; You can't use the 'author' syntax on them")
|
||||
return render_template("search.html",
|
||||
|
@ -195,7 +195,7 @@ def searchcomments(v):
|
|||
if 'author' in criteria:
|
||||
comments = comments.filter(Comment.ghost == False)
|
||||
author = get_user(criteria['author'], v=v, include_shadowbanned=False)
|
||||
if author.is_private and author.id != v.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye:
|
||||
if not author.is_visible_to(v):
|
||||
if v.client:
|
||||
abort(403, f"@{author.username}'s profile is private; You can't use the 'author' syntax on them")
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ from .login import check_for_alts
|
|||
|
||||
def upvoters_downvoters(v, username, uid, cls, vote_cls, vote_dir, template, standalone):
|
||||
u = get_user(username, v=v, include_shadowbanned=False)
|
||||
if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): abort(403)
|
||||
if not u.is_visible_to(v): abort(403)
|
||||
if not (v.id == u.id or v.admin_level >= PERMS['USER_VOTERS_VISIBLE']): abort(403)
|
||||
id = u.id
|
||||
try:
|
||||
|
@ -76,7 +76,7 @@ def downvoters_comments(v, username, uid):
|
|||
|
||||
def upvoting_downvoting(v, username, uid, cls, vote_cls, vote_dir, template, standalone):
|
||||
u = get_user(username, v=v, include_shadowbanned=False)
|
||||
if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): abort(403)
|
||||
if not u.is_visible_to(v): abort(403)
|
||||
if not (v.id == u.id or v.admin_level >= PERMS['USER_VOTERS_VISIBLE']): abort(403)
|
||||
id = u.id
|
||||
try:
|
||||
|
@ -126,7 +126,7 @@ def downvoting_comments(v, username, uid):
|
|||
|
||||
def user_voted(v, username, cls, vote_cls, vote_dir, template, standalone):
|
||||
u = get_user(username, v=v, include_shadowbanned=False)
|
||||
if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): abort(403)
|
||||
if not u.is_visible_to(v): abort(403)
|
||||
if not (v.id == u.id or v.admin_level >= PERMS['USER_VOTERS_VISIBLE']): abort(403)
|
||||
|
||||
page = max(1, int(request.values.get("page", 1)))
|
||||
|
@ -659,7 +659,7 @@ def u_username(username, v=None):
|
|||
g.db.commit()
|
||||
|
||||
|
||||
if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)):
|
||||
if not u.is_visible_to(v):
|
||||
if g.is_api_or_xhr or request.path.endswith(".json"):
|
||||
abort(403, "This userpage is private")
|
||||
|
||||
|
@ -739,7 +739,7 @@ def u_username_comments(username, v=None):
|
|||
|
||||
u = user
|
||||
|
||||
if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)):
|
||||
if not u.is_visible_to(v):
|
||||
if g.is_api_or_xhr or request.path.endswith(".json"):
|
||||
abort(403, "This userpage is private")
|
||||
return render_template("userpage_private.html", u=u, v=v)
|
||||
|
|
Loading…
Reference in New Issue