discourse/lib/guardian/user_guardian.rb
Osama Sayegh 976aca68f6
FEATURE: Restrict profile visibility of low-trust users (#29981)
We've seen in some communities abuse of user profile where bios and other fields are used in malicious ways, such as malware distribution. A common pattern between all the abuse cases we've seen is that the malicious actors tend to have 0 posts and have a low trust level.

To eliminate this abuse vector, or at least make it much less effective, we're making the following changes to user profiles:

1. Anonymous, TL0 and TL1 users cannot see any user profiles for users with 0 posts except for staff users
2. Anonymous and TL0 users can only see profiles of TL1 users and above

Users can always see their own profile, and they can still hide their profiles via the "Hide my public profile" preference. Staff can always see any user's profile.

Internal topic: t/142853.
2024-12-09 13:07:59 +03:00

224 lines
6.0 KiB
Ruby

# frozen_string_literal: true
# mixin for all Guardian methods dealing with user permissions
module UserGuardian
def can_claim_reviewable_topic?(topic)
SiteSetting.reviewable_claiming != "disabled" && can_review_topic?(topic)
end
def can_pick_avatar?(user_avatar, upload)
return false unless self.user
return true if is_admin?
# can always pick blank avatar
return true if !upload
return true if user_avatar.contains_upload?(upload.id)
return true if upload.user_id == user_avatar.user_id || upload.user_id == user.id
UserUpload.exists?(upload_id: upload.id, user_id: user.id)
end
def can_edit_user?(user)
is_me?(user) || is_staff?
end
def can_edit_username?(user)
return false if SiteSetting.auth_overrides_username?
return true if is_staff?
return false if SiteSetting.username_change_period <= 0
return false if is_anonymous?
is_me?(user) && user.created_at > SiteSetting.username_change_period.days.ago
end
def can_edit_email?(user)
return false if SiteSetting.auth_overrides_email?
return false unless SiteSetting.email_editable?
return true if is_staff?
return false if is_anonymous?
can_edit?(user)
end
def can_edit_name?(user)
return false unless SiteSetting.enable_names?
return false if SiteSetting.auth_overrides_name?
return true if is_staff?
return false if is_anonymous?
can_edit?(user)
end
def can_see_notifications?(user)
is_me?(user) || is_admin?
end
def can_silence_user?(user)
user && is_staff? && not(user.staff?)
end
def can_unsilence_user?(user)
user && is_staff?
end
def can_delete_user?(user)
return false if user.nil? || user.admin?
if is_me?(user)
!SiteSetting.enable_discourse_connect &&
!user.has_more_posts_than?(SiteSetting.delete_user_self_max_post_count)
else
is_staff? &&
(
user.first_post_created_at.nil? ||
!user.has_more_posts_than?(User::MAX_STAFF_DELETE_POST_COUNT) ||
user.first_post_created_at > SiteSetting.delete_user_max_post_age.to_i.days.ago
)
end
end
def can_anonymize_user?(user)
is_staff? && !user.nil? && !user.staff? && !user.email&.ends_with?(UserAnonymizer::EMAIL_SUFFIX)
end
def can_merge_user?(user)
is_admin? && !user.nil? && !user.staff?
end
def can_merge_users?(source_user, target_user)
can_merge_user?(source_user) && !target_user.nil?
end
def can_see_warnings?(user)
user && (is_me?(user) || is_staff?)
end
def can_reset_bounce_score?(user)
user && is_staff?
end
def can_check_emails?(user)
is_admin? || (is_staff? && SiteSetting.moderators_view_emails)
end
def can_check_sso_details?(user)
user && is_admin?
end
def restrict_user_fields?(user)
(user.trust_level == TrustLevel[0] && anonymous?) || !can_see_profile?(user)
end
def can_see_staff_info?(user)
user && is_staff?
end
def can_see_suspension_reason?(user)
return true unless SiteSetting.hide_suspension_reasons?
user == @user || is_staff?
end
def can_disable_second_factor?(user)
user && can_administer_user?(user)
end
def can_see_user?(_user)
true
end
def public_can_see_profiles?
!SiteSetting.hide_user_profiles_from_public || !anonymous?
end
def can_see_profile?(user)
return false if user.blank?
return true if is_me?(user) || is_staff?
profile_hidden = SiteSetting.allow_users_to_hide_profile && user.user_option&.hide_profile?
return true if user.staff? && !profile_hidden
if user.user_stat.blank? || user.user_stat.post_count == 0
return false if anonymous? || !@user.has_trust_level?(TrustLevel[2])
end
if anonymous? || !@user.has_trust_level?(TrustLevel[1])
return user.has_trust_level?(TrustLevel[1]) && !profile_hidden
end
!profile_hidden
end
def can_see_user_actions?(user, action_types)
return true if !@user.anonymous? && (@user.id == user.id || is_admin?)
return false if SiteSetting.hide_user_activity_tab?
(action_types & UserAction.private_types).empty?
end
def allowed_user_field_ids(user)
@allowed_user_field_ids ||= {}
is_staff_or_is_me = is_staff? || is_me?(user)
cache_key = is_staff_or_is_me ? :staff_or_me : :other
@allowed_user_field_ids[cache_key] ||= begin
if is_staff_or_is_me
UserField.pluck(:id)
else
UserField.where("show_on_profile OR show_on_user_card").pluck(:id)
end
end
end
def can_feature_topic?(user, topic)
return false if topic.nil?
return false if !SiteSetting.allow_featured_topic_on_user_profiles?
return false if !is_me?(user) && !is_staff?
return false if !topic.visible
return false if topic.read_restricted_category? || topic.private_message?
true
end
def can_see_review_queue?
is_staff? ||
(
SiteSetting.enable_category_group_moderation &&
Reviewable
.joins(
"INNER JOIN category_moderation_groups ON category_moderation_groups.category_id = reviewables.category_id",
)
.where(
category_id: allowed_category_ids,
"category_moderation_groups.group_id": @user.group_users.pluck(:group_id),
)
.exists?
)
end
def can_see_summary_stats?(target_user)
true
end
def can_upload_profile_header?(user)
(is_me?(user) && user.in_any_groups?(SiteSetting.profile_background_allowed_groups_map)) ||
is_staff?
end
def can_upload_user_card_background?(user)
(is_me?(user) && user.in_any_groups?(SiteSetting.user_card_background_allowed_groups_map)) ||
is_staff?
end
def can_upload_external?
!ExternalUploadManager.user_banned?(user)
end
def can_delete_sso_record?(user)
SiteSetting.enable_discourse_connect && user && is_admin?
end
def can_delete_user_associated_accounts?(user)
user && is_admin?
end
def can_change_tracking_preferences?(user)
(SiteSetting.allow_changing_staged_user_tracking || !user.staged) && can_edit_user?(user)
end
end