Restrict who can use the lastSeenAt user sort (#2634)

This commit is contained in:
Clark Winkelmann 2021-03-02 15:59:14 +01:00 committed by GitHub
parent 5813f2522c
commit 8eb57ec990
2 changed files with 50 additions and 0 deletions

View File

@ -76,6 +76,13 @@ class ListUsersController extends AbstractListController
$actor->assertCan('viewUserList');
if (! $actor->hasPermission('user.viewLastSeenAt')) {
// If a user cannot see everyone's last online date, we prevent them from sorting by it
// Otherwise this sort field would defeat the privacy setting discloseOnline
// We use remove instead of add so that extensions can still completely disable the sort using the extender
$this->removeSortField('lastSeenAt');
}
$filters = $this->extractFilter($request);
$sort = $this->extractSort($request);

View File

@ -91,6 +91,49 @@ class ListTest extends TestCase
$this->assertEquals(['1', '2'], Arr::pluck($data, 'id'));
}
/**
* @test
*/
public function allows_last_seen_sorting_with_permission()
{
$this->prepareDatabase([
'group_permission' => [
['permission' => 'viewUserList', 'group_id' => 2],
['permission' => 'user.viewLastSeenAt', 'group_id' => 2],
],
]);
$response = $this->send(
$this->request('GET', '/api/users')
->withQueryParams([
'sort' => 'lastSeenAt',
])
);
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function disallows_last_seen_sorting_without_permission()
{
$this->prepareDatabase([
'group_permission' => [
['permission' => 'viewUserList', 'group_id' => 2],
],
]);
$response = $this->send(
$this->request('GET', '/api/users')
->withQueryParams([
'sort' => 'lastSeenAt',
])
);
$this->assertEquals(400, $response->getStatusCode());
}
/**
* @test
*/