Commit 192977f6 authored by Son Nguyen's avatar Son Nguyen Committed by Gerrit Code Review

Merge "For private profiles, hide all profile information from logged-out users" into 1.6_STABLE

parents e5764a51 6490dda9
...@@ -48,7 +48,13 @@ $loggedinid = $USER->get('id'); ...@@ -48,7 +48,13 @@ $loggedinid = $USER->get('id');
if ($profileurlid = param_alphanumext('profile', null)) { if ($profileurlid = param_alphanumext('profile', null)) {
if (!$user = get_record('usr', 'urlid', $profileurlid, 'deleted', 0)) { if (!$user = get_record('usr', 'urlid', $profileurlid, 'deleted', 0)) {
throw new UserNotFoundException("User $profileurlid not found"); if ($USER->is_logged_in()) {
throw new UserNotFoundException("User $profileurlid not found");
}
else {
// For logged-out users we show "access denied" in order to prevent an enumeration attack
throw new AccessDeniedException(get_string('youcannotviewthisusersprofile', 'error'));
}
} }
$userid = $user->id; $userid = $user->id;
} }
...@@ -65,7 +71,13 @@ if ($userid == 0) { ...@@ -65,7 +71,13 @@ if ($userid == 0) {
// Get the user's details // Get the user's details
if (!isset($user)) { if (!isset($user)) {
if (!$user = get_record('usr', 'id', $userid, 'deleted', 0)) { if (!$user = get_record('usr', 'id', $userid, 'deleted', 0)) {
throw new UserNotFoundException("User with id $userid not found"); if ($USER->is_logged_in()) {
throw new UserNotFoundException("User with id $userid not found");
}
else {
// For logged-out users we show "access denied" in order to prevent an enumeration attack
throw new AccessDeniedException(get_string('youcannotviewthisusersprofile', 'error'));
}
} }
} }
$is_friend = is_friend($userid, $loggedinid); $is_friend = is_friend($userid, $loggedinid);
...@@ -86,7 +98,13 @@ if (!$view) { ...@@ -86,7 +98,13 @@ if (!$view) {
} }
$viewid = $view->get('id'); $viewid = $view->get('id');
// Special behaviour: Logged in users who the page hasn't been shared with, see a special page
// with the user's name, icon, and little else.
$restrictedview = !can_view_view($viewid); $restrictedview = !can_view_view($viewid);
// Logged-out users can't see any details, though
if ($restrictedview && !$USER->is_logged_in()) {
throw new AccessDeniedException(get_string('accessdenied', 'error'));
}
if (!$restrictedview) { if (!$restrictedview) {
$viewcontent = $view->build_columns(); $viewcontent = $view->build_columns();
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment