Merge pull request #545 from TonisOrmisson/limit-profile-view

maxxer · web-flow · commit 29a878fa4f68 · 2024-03-08T09:36:09.000+01:00
Add option to limit profile views only for admin users
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Fix: Social Network Auth (eluhr)
 - Enh #532: /user/registration/register now shows form validation errors
 - Enh: Allow/suggest new v3 releases of 2amigos 2fa dependencies: 2fa-library, qrcode-library (TonisOrmisson) 
+- Enh: Added option to disable viewing any other user's profile for non-admin users (TonisOrmisson)
 
 ## 1.6.2 Jan 4th, 2024
 
diff --git a/docs/install/configuration-options.md b/docs/install/configuration-options.md
@@ -313,6 +313,11 @@ Set to `true` to restrict user assignments to roles only.
 
 If `true` registration and last login IPs are not logged into users table, instead a dummy 127.0.0.1 is used
 
+
+#### disableProfileViewsForRegularUsers (type: `boolean`, default: `false`)
+
+If `true` only admin users have access to view any other user's profile. By default any user can see any other users public profile page.
+
 #### minPasswordRequirements (type: `array`, default: `['lower' => 1, 'digit' => 1, 'upper' => 1]`)
 
 Minimum requirements when a new password is automatically generated.
diff --git a/src/User/Controller/ProfileController.php b/src/User/Controller/ProfileController.php
@@ -11,15 +11,20 @@
 
 namespace Da\User\Controller;
 
+use Da\User\Model\User;
 use Da\User\Query\ProfileQuery;
+use Da\User\Traits\ModuleAwareTrait;
 use Yii;
 use yii\base\Module;
 use yii\filters\AccessControl;
 use yii\web\Controller;
+use yii\web\ForbiddenHttpException;
 use yii\web\NotFoundHttpException;
 
 class ProfileController extends Controller
 {
+    use ModuleAwareTrait;
+
     protected $profileQuery;
 
     /**
@@ -67,6 +72,13 @@ public function actionIndex()
 
     public function actionShow($id)
     {
+        $user = Yii::$app->user;
+        /** @var User $identity */
+        $identity = $user->getIdentity();
+        if($user->getId() != $id && $this->module->disableProfileViewsForRegularUsers && !$identity->getIsAdmin()) {
+            throw new ForbiddenHttpException();
+        }
+
         $profile = $this->profileQuery->whereUserId($id)->one();
 
         if ($profile === null) {
diff --git a/src/User/Module.php b/src/User/Module.php
@@ -241,6 +241,10 @@ class Module extends BaseModule
      * @var boolean whether to disable IP logging into user table
      */
     public $disableIpLogging = false;
+    /**
+     * @var boolean whether to disable viewing any user's profile for non-admin users
+     */
+    public $disableProfileViewsForRegularUsers = false;
     /**
      * @var array Minimum requirements when a new password is automatically generated.
      *            Array structure: `requirement => minimum number characters`.
