mirror of
https://github.com/flarum/framework.git
synced 2024-11-29 12:43:52 +08:00
Restrict who can use the lastSeenAt user sort (#2634)
This commit is contained in:
parent
5813f2522c
commit
8eb57ec990
|
@ -76,6 +76,13 @@ class ListUsersController extends AbstractListController
|
|||
|
||||
$actor->assertCan('viewUserList');
|
||||
|
||||
if (! $actor->hasPermission('user.viewLastSeenAt')) {
|
||||
// If a user cannot see everyone's last online date, we prevent them from sorting by it
|
||||
// Otherwise this sort field would defeat the privacy setting discloseOnline
|
||||
// We use remove instead of add so that extensions can still completely disable the sort using the extender
|
||||
$this->removeSortField('lastSeenAt');
|
||||
}
|
||||
|
||||
$filters = $this->extractFilter($request);
|
||||
$sort = $this->extractSort($request);
|
||||
|
||||
|
|
|
@ -91,6 +91,49 @@ class ListTest extends TestCase
|
|||
$this->assertEquals(['1', '2'], Arr::pluck($data, 'id'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
public function allows_last_seen_sorting_with_permission()
|
||||
{
|
||||
$this->prepareDatabase([
|
||||
'group_permission' => [
|
||||
['permission' => 'viewUserList', 'group_id' => 2],
|
||||
['permission' => 'user.viewLastSeenAt', 'group_id' => 2],
|
||||
],
|
||||
]);
|
||||
|
||||
$response = $this->send(
|
||||
$this->request('GET', '/api/users')
|
||||
->withQueryParams([
|
||||
'sort' => 'lastSeenAt',
|
||||
])
|
||||
);
|
||||
|
||||
$this->assertEquals(200, $response->getStatusCode());
|
||||
}
|
||||
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
public function disallows_last_seen_sorting_without_permission()
|
||||
{
|
||||
$this->prepareDatabase([
|
||||
'group_permission' => [
|
||||
['permission' => 'viewUserList', 'group_id' => 2],
|
||||
],
|
||||
]);
|
||||
|
||||
$response = $this->send(
|
||||
$this->request('GET', '/api/users')
|
||||
->withQueryParams([
|
||||
'sort' => 'lastSeenAt',
|
||||
])
|
||||
);
|
||||
|
||||
$this->assertEquals(400, $response->getStatusCode());
|
||||
}
|
||||
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue
Block a user