Restrict who can use the lastSeenAt user sort (#2634)

2024-11-22 06:05:46 +08:00 · 2021-03-02 15:59:14 +01:00 · 2021-03-02 15:59:14 +01:00 · 6e01c47c11
commit 6e01c47c11
parent a9526917b8
2 changed files with 50 additions and 0 deletions
--- a/src/Api/Controller/ListUsersController.php
+++ b/src/Api/Controller/ListUsersController.php
@ -76,6 +76,13 @@ class ListUsersController extends AbstractListController

        $actor->assertCan('viewUserList');

+        if (! $actor->hasPermission('user.viewLastSeenAt')) {
+            // If a user cannot see everyone's last online date, we prevent them from sorting by it
+            // Otherwise this sort field would defeat the privacy setting discloseOnline
+            // We use remove instead of add so that extensions can still completely disable the sort using the extender
+            $this->removeSortField('lastSeenAt');
+        }
+
        $filters = $this->extractFilter($request);
        $sort = $this->extractSort($request);

--- a/tests/integration/api/users/ListTest.php
+++ b/tests/integration/api/users/ListTest.php
@ -91,6 +91,49 @@ class ListTest extends TestCase
        $this->assertEquals(['1', '2'], Arr::pluck($data, 'id'));
    }

+    /**
+     * @test
+     */
+    public function allows_last_seen_sorting_with_permission()
+    {
+        $this->prepareDatabase([
+            'group_permission' => [
+                ['permission' => 'viewUserList', 'group_id' => 2],
+                ['permission' => 'user.viewLastSeenAt', 'group_id' => 2],
+            ],
+        ]);
+
+        $response = $this->send(
+            $this->request('GET', '/api/users')
+            ->withQueryParams([
+                'sort' => 'lastSeenAt',
+            ])
+        );
+
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    /**
+     * @test
+     */
+    public function disallows_last_seen_sorting_without_permission()
+    {
+        $this->prepareDatabase([
+            'group_permission' => [
+                ['permission' => 'viewUserList', 'group_id' => 2],
+            ],
+        ]);
+
+        $response = $this->send(
+            $this->request('GET', '/api/users')
+                ->withQueryParams([
+                    'sort' => 'lastSeenAt',
+                ])
+        );
+
+        $this->assertEquals(400, $response->getStatusCode());
+    }
+
    /**
     * @test
     */