Anonymous users denied access to profile picture when configured as n…

…on-public through ImageHandler

DNN Platform/Library/Services/GeneratedImage/ImageHandlerInternal.cs

@@ -19,7 +19,8 @@ namespace DotNetNuke.Services.GeneratedImage
     using System.Web;
 
     using DotNetNuke.Common.Utilities;
-    using DotNetNuke.Entities.Portals;
+    using DotNetNuke.Entities.Portals;
+    using DotNetNuke.Entities.Users;
     using DotNetNuke.Services.GeneratedImage.ImageQuantization;
     using DotNetNuke.Services.Log.EventLog;
     using DotNetNuke.Services.UserRequest;
@@ -92,7 +93,7 @@ public TimeSpan IpCountPurgeInterval
 
         public string[] AllowedDomains { get; set; }
 
-        public bool LogSecurity { get; set; }
+        public bool LogSecurity { get; set; }
 
         public List<ImageTransform> ImageTransforms
         {
@@ -214,12 +215,12 @@ public void HandleImageRequest(HttpContextBase context, Func<NameValueCollection
             string cacheId = this.GetUniqueIDString(context, uniqueIdStringSeed);
 
             var cacheCleared = false;
-            var profilepic = context.Request.QueryString["mode"];
+            var profilepic = context.Request.QueryString["mode"];
+            int userId = -1;
             if ("profilepic".Equals(profilepic, StringComparison.InvariantCultureIgnoreCase))
             {
-                int userId;
                 if (int.TryParse(context.Request.QueryString["userId"], out userId))
-                {
+                {
                     cacheCleared = this.ClearDiskImageCacheIfNecessary(userId, PortalSettings.Current.PortalId, cacheId);
                 }
             }
@@ -251,7 +252,31 @@ public void HandleImageRequest(HttpContextBase context, Func<NameValueCollection
 
             // Handle Server cache
             if (this.EnableServerCache)
-            {
+            {
+                if (!this.IsPicVisibleToCurrentUser(userId))
+                {
+                    string message = "Not allowed to see profile picture";
+
+                    if (this.LogSecurity)
+                    {
+                        EventLogController logController = new EventLogController();
+                        var logInfo = new LogInfo
+                        {
+                            LogUserID = PortalSettings.Current.UserId,
+                            LogPortalID = PortalSettings.Current.PortalId,
+                            LogTypeKey = EventLogController.EventLogType.ADMIN_ALERT.ToString(),
+                        };
+                        logInfo.AddProperty("DnnImageHandler", message);
+                        logInfo.AddProperty("IP", ipAddress);
+                        logController.AddLog(logInfo);
+                    }
+
+                    context.Response.StatusCode = 403;
+                    context.Response.StatusDescription = "Forbidden";
+                    context.Response.End();
+                    return;
+                }
+
                 if (this.ImageStore.TryTransmitIfContains(cacheId, context.Response))
                 {
                     context.Response.Flush();
@@ -474,6 +499,25 @@ private void RenderImage(Image image, Stream outStream)
             {
                 image?.Dispose();
             }
+        }
+
+        private bool IsPicVisibleToCurrentUser(int profileUserId)
+        {
+            var settings = PortalController.Instance.GetCurrentSettings();
+            var profileUser = UserController.Instance.GetUser(settings.PortalId, profileUserId);
+            if (profileUser == null)
+            {
+                return false;
+            }
+
+            var photoProperty = profileUser.Profile.GetProperty("Photo");
+            if (photoProperty == null)
+            {
+                return false;
+            }
+
+            var currentUser = UserController.Instance.GetCurrentUserInfo();
+            return ProfilePropertyAccess.CheckAccessLevel((PortalSettings)settings, photoProperty, currentUser, profileUser);
         }
     }
 }