Honor avatar visibility settings

Fixes #5456 Only when an avatar is set to public should we show it to the public. For now this has an open question as to how to solve federated avatars. But I assume a dedicated paramter or endpooint would make sense there. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
nextcloud · Oct 28, 2019 · 0bd1378 · 0bd1378
1 parent 921f748
commit 0bd1378
Showing 1 changed file with 26 additions and 4 deletions.
diff --git a/core/Controller/AvatarController.php b/core/Controller/AvatarController.php
@@ -28,6 +28,7 @@
 namespace OC\Core\Controller;
 
 use OC\AppFramework\Utility\TimeFactory;
+use OCP\Accounts\IAccountManager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataDisplayResponse;
@@ -76,6 +77,8 @@ class AvatarController extends Controller {
 
 	/** @var TimeFactory */
 	protected $timeFactory;
+	/** @var IAccountManager */
+	private $accountManager;
 
 	/**
 	 * @param string $appName
@@ -98,7 +101,8 @@ public function __construct($appName,
 								IRootFolder $rootFolder,
 								ILogger $logger,
 								$userId,
-								TimeFactory $timeFactory) {
+								TimeFactory $timeFactory,
+								IAccountManager $accountManager) {
 		parent::__construct($appName, $request);
 
 		$this->avatarManager = $avatarManager;
@@ -109,6 +113,7 @@ public function __construct($appName,
 		$this->logger = $logger;
 		$this->userId = $userId;
 		$this->timeFactory = $timeFactory;
+		$this->accountManager = $accountManager;
 	}
 
 
@@ -130,6 +135,19 @@ public function getAvatar($userId, $size) {
 			$size = 64;
 		}
 
+		$user = $this->userManager->get($userId);
+		if ($user === null) {
+			return $this->return404();
+		}
+
+		$account = $this->accountManager->getAccount($user);
+		$scope = $account->getProperty(IAccountManager::PROPERTY_AVATAR)->getScope();
+
+		if ($scope !== IAccountManager::VISIBILITY_PUBLIC && $this->userId === null) {
+			// Public avatar access is not allowed
+			return $this->return404();
+		}
+
 		try {
 			$avatar = $this->avatarManager->getAvatar($userId);
 			$avatarFile = $avatar->getFile($size);
@@ -139,16 +157,20 @@ public function getAvatar($userId, $size) {
 				['Content-Type' => $avatarFile->getMimeType()]
 			);
 		} catch (\Exception $e) {
-			$resp = new Http\Response();
-			$resp->setStatus(Http::STATUS_NOT_FOUND);
-			return $resp;
+			return $this->return404();
 		}
 
 		// Cache for 30 minutes
 		$resp->cacheFor(1800);
 		return $resp;
 	}
 
+	private function return404(): Http\Response {
+		$resp = new Http\Response();
+		$resp->setStatus(Http::STATUS_NOT_FOUND);
+		return $resp;
+	}
+
 	/**
 	 * @NoAdminRequired
 	 *