From 5c0d050d2489b0f760c88365ef80a0181e0a1ca5 Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 13:40:14 +0200 Subject: [PATCH 1/7] fixed profile page being globally open by anyone by default --- docs/install/configuration-options.md | 9 ++ src/User/Controller/ProfileController.php | 37 +++++++- src/User/Module.php | 7 ++ tests/_fixtures/data/profile.php | 4 + tests/_fixtures/data/user.php | 28 +++++- tests/functional/ProfileCept.php | 110 ++++++++++++++++++++++ 6 files changed, 191 insertions(+), 4 deletions(-) create mode 100644 tests/functional/ProfileCept.php diff --git a/docs/install/configuration-options.md b/docs/install/configuration-options.md index ed86a61e..0af48341 100755 --- a/docs/install/configuration-options.md +++ b/docs/install/configuration-options.md @@ -241,6 +241,15 @@ simple backends with static administrators that won't change throughout time. Configures the permission name for `administrators`. See [AuthHelper](../../src/User/Helper/AuthHelper.php). +#### profileVisibility (type: `integer`, default:`0` (ProfileController::PROFILE_VISIBILITY_OWNER)) + +Configures to whom users 'profile/show' (public profile) page is shown. Constant values are defined in +[ProfileController](../../src/User/Controller/ProfileController.php) as constants. The visibility levels are: +- `0` (ProfileController::PROFILE_VISIBILITY_OWNER): The users profile page is shown ONLY to user itself, the owner of the profile. +- `1` (ProfileController::PROFILE_VISIBILITY_ADMIN): The users profile is shown ONLY to user itself (owner) AND users defined by module as admins. +- `2` (ProfileController::PROFILE_VISIBILITY_USERS): Any users profile page is shown to any other non-guest user. +- `3` (ProfileController::PROFILE_VISIBILITY_PUBLIC): Any user profile views are globally public and visible to anyone (including guests). + #### prefix (type: `string`, default: `user`) Configures the URL prefix for the module. diff --git a/src/User/Controller/ProfileController.php b/src/User/Controller/ProfileController.php index 2a9e66b9..e7143249 100644 --- a/src/User/Controller/ProfileController.php +++ b/src/User/Controller/ProfileController.php @@ -25,6 +25,15 @@ class ProfileController extends Controller { use ModuleAwareTrait; + /** @var int will allow only profile owner */ + const PROFILE_VISIBILITY_OWNER = 0; + /** @var int will allow profile owner and admin users */ + const PROFILE_VISIBILITY_ADMIN = 1; + /** @var int will allow any logged-in user */ + const PROFILE_VISIBILITY_USERS = 2; + /** @var int will allow anyone, including gusets */ + public const PROFILE_VISIBILITY_PUBLIC = 3; + protected $profileQuery; /** @@ -73,10 +82,32 @@ public function actionIndex() public function actionShow($id) { $user = Yii::$app->user; - /** @var User $identity */ + $id = (int) $id; + + /** @var ?User $identity */ $identity = $user->getIdentity(); - if($user->getId() != $id && $this->module->disableProfileViewsForRegularUsers && !$identity->getIsAdmin()) { - throw new ForbiddenHttpException(); + + switch($this->module->profileVisibility) { + case static::PROFILE_VISIBILITY_OWNER: + if($identity === null || $id !== $user->getId()) { + throw new ForbiddenHttpException("1"); + } + break; + case static::PROFILE_VISIBILITY_ADMIN: + if($id === $user->getId() || ($identity !== null && $identity->getIsAdmin())) { + break; + } + throw new ForbiddenHttpException(); + case static::PROFILE_VISIBILITY_USERS: + if((!$user->getIsGuest())) { + break; + } + throw new ForbiddenHttpException(); + case static::PROFILE_VISIBILITY_PUBLIC: + break; + default: + throw new ForbiddenHttpException(); + } $profile = $this->profileQuery->whereUserId($id)->one(); diff --git a/src/User/Module.php b/src/User/Module.php index a27360b6..307f1b5a 100755 --- a/src/User/Module.php +++ b/src/User/Module.php @@ -12,6 +12,7 @@ namespace Da\User; use Da\User\Contracts\MailChangeStrategyInterface; +use Da\User\Controller\ProfileController; use Da\User\Filter\AccessRuleFilter; use Yii; use yii\base\Module as BaseModule; @@ -181,6 +182,12 @@ class Module extends BaseModule * @var string the administrator permission name */ public $administratorPermissionName; + /** + * @var int $profileVisibility Defines the level of user's profile page visibility. + * Defaults to ProfileController::PROFILE_VISIBILITY_OWNER meaning no-one except the user itself can view + * the profile. @see ProfileController constants for prssible options + */ + public $profileVisibility = ProfileController::PROFILE_VISIBILITY_OWNER; /** * @var string the route prefix */ diff --git a/tests/_fixtures/data/profile.php b/tests/_fixtures/data/profile.php index 7b2a40fa..f1b7234a 100644 --- a/tests/_fixtures/data/profile.php +++ b/tests/_fixtures/data/profile.php @@ -7,4 +7,8 @@ 'user_id' => 1, 'name' => 'John Doe', ], + 'seconduser' => [ + 'user_id' => 9, + 'name' => 'John Doe 2', + ], ]; diff --git a/tests/_fixtures/data/user.php b/tests/_fixtures/data/user.php index 2f596612..e255df15 100644 --- a/tests/_fixtures/data/user.php +++ b/tests/_fixtures/data/user.php @@ -78,7 +78,7 @@ 'username' => 'user2fa', 'email' => 'user2faenabled@example.com', 'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui', - 'auth_key' => '39HU0m5lpjWtqstFVGFjj6lFb7UZDeRq', + 'auth_key' => '08aff8636535eb934ae7aa205254ac6b', 'auth_tf_key' => '', 'auth_tf_enabled' => true, 'auth_tf_type' => 'google-authenticator', @@ -87,4 +87,30 @@ 'confirmed_at' => $time, 'gdpr_consent' => false, ], + 'admin' => [ + 'id' => 8, + 'username' => 'admin', + 'email' => 'admin@example.com', + 'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui', + 'auth_key' => '39HU0m5lpjWtqstFVGFjj6lFb7UZDeRq', + 'auth_tf_key' => '', + 'auth_tf_enabled' => false, + 'created_at' => $time, + 'updated_at' => $time, + 'confirmed_at' => $time, + 'gdpr_consent' => false, + ], + 'seconduser' => [ + 'id' => 9, + 'username' => 'seconduser', + 'email' => 'seconduser@example.com', + 'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui', + 'auth_key' => '776960890cec5ac53525f0e910716f5a', + 'auth_tf_key' => '', + 'auth_tf_enabled' => false, + 'created_at' => $time, + 'updated_at' => $time, + 'confirmed_at' => $time, + 'gdpr_consent' => false, + ], ]; diff --git a/tests/functional/ProfileCept.php b/tests/functional/ProfileCept.php new file mode 100644 index 00000000..29330982 --- /dev/null +++ b/tests/functional/ProfileCept.php @@ -0,0 +1,110 @@ +haveFixtures([ + 'user' => UserFixture::class, + 'profile' => ProfileFixture::class +]); +$user = $I->grabFixture('user', 'user'); +$secondUser = $I->grabFixture('user', 'seconduser'); +$adminUser = $I->grabFixture('user', 'admin'); +$I->wantTo('Ensure that profile profile pages are shown only to when user has correct permissions and else forbidden'); + +Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_OWNER; +Yii::$app->getModule('user')->administrators = ['admin']; + +$I->amLoggedInAs($user); +$I->amGoingTo('try to open users own profile page'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->dontSee('Forbidden'); +$I->see('Joined on'); + +$I->amGoingTo('Profile visibility::OWNER: try to open another users profile page'); +$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]); +$I->expectTo('See the profile page'); +$I->see('Forbidden'); +$I->dontSee('Joined on'); + +Yii::$app->user->logout(); +$I->amGoingTo('Profile visibility::OWNER: try to open users profile page as guest'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->see('Forbidden'); +$I->dontSee('Joined on'); + + +Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_ADMIN; +$I->amLoggedInAs($user); +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open users own profile page'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->dontSee('Forbidden'); +$I->see('Joined on'); + +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open another users profile page as regular user'); +$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]); +$I->expectTo('See the profile page'); +$I->see('Forbidden'); +$I->dontSee('Joined on'); + +$I->amLoggedInAs($adminUser); +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open another users profile page as admin'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->dontSee('Forbidden'); +$I->see('Joined on'); + +Yii::$app->user->logout(); +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open users profile page as guest'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->see('Forbidden'); +$I->dontSee('Joined on'); + + +Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_USERS; +$I->amLoggedInAs($user); +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open users own profile page'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->dontSee('Forbidden'); +$I->see('Joined on'); + +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open another users profile page as regular user'); +$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]); +$I->expectTo('See the profile page'); +$I->dontSee('Forbidden'); +$I->see('Joined on'); + +$I->amLoggedInAs($adminUser); +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open another users profile page as admin'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->dontSee('Forbidden'); +$I->see('Joined on'); + +Yii::$app->user->logout(); +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open users profile page as guest'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->see('Forbidden'); +$I->dontSee('Joined on'); + +Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_PUBLIC; + +Yii::$app->user->logout(); +$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_PUBLIC: try to open users profile page as guest'); +$I->amOnRoute('/user/profile/show', ['id' => $user->id]); +$I->expectTo('See the profile page'); +$I->dontSee('Forbidden'); +$I->see('Joined on'); + From d5d211a9e9a611fd9b4f989ee956aae720b5a93e Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 14:11:45 +0200 Subject: [PATCH 2/7] typos --- src/User/Controller/ProfileController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/User/Controller/ProfileController.php b/src/User/Controller/ProfileController.php index e7143249..4ed53d4e 100644 --- a/src/User/Controller/ProfileController.php +++ b/src/User/Controller/ProfileController.php @@ -29,9 +29,9 @@ class ProfileController extends Controller const PROFILE_VISIBILITY_OWNER = 0; /** @var int will allow profile owner and admin users */ const PROFILE_VISIBILITY_ADMIN = 1; - /** @var int will allow any logged-in user */ + /** @var int will allow any logged-in users */ const PROFILE_VISIBILITY_USERS = 2; - /** @var int will allow anyone, including gusets */ + /** @var int will allow anyone, including guests */ public const PROFILE_VISIBILITY_PUBLIC = 3; protected $profileQuery; From f319bf70e217aab99503641284a29e6385af95b0 Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 14:15:30 +0200 Subject: [PATCH 3/7] typos, remove disableProfileViewsForRegularUsers --- src/User/Controller/ProfileController.php | 2 +- src/User/Module.php | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/User/Controller/ProfileController.php b/src/User/Controller/ProfileController.php index 4ed53d4e..da779b8b 100644 --- a/src/User/Controller/ProfileController.php +++ b/src/User/Controller/ProfileController.php @@ -90,7 +90,7 @@ public function actionShow($id) switch($this->module->profileVisibility) { case static::PROFILE_VISIBILITY_OWNER: if($identity === null || $id !== $user->getId()) { - throw new ForbiddenHttpException("1"); + throw new ForbiddenHttpException(); } break; case static::PROFILE_VISIBILITY_ADMIN: diff --git a/src/User/Module.php b/src/User/Module.php index 307f1b5a..85c76dfc 100755 --- a/src/User/Module.php +++ b/src/User/Module.php @@ -248,10 +248,6 @@ class Module extends BaseModule * @var boolean whether to disable IP logging into user table */ public $disableIpLogging = false; - /** - * @var boolean whether to disable viewing any user's profile for non-admin users - */ - public $disableProfileViewsForRegularUsers = false; /** * @var array Minimum requirements when a new password is automatically generated. * Array structure: `requirement => minimum number characters`. From f4c71b06c1eff7d823d24f7e449d3f9bc00050ce Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 14:18:15 +0200 Subject: [PATCH 4/7] remove disableProfileViewsForRegularUsers from docs --- docs/install/configuration-options.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/install/configuration-options.md b/docs/install/configuration-options.md index 0af48341..f1ffd672 100755 --- a/docs/install/configuration-options.md +++ b/docs/install/configuration-options.md @@ -322,11 +322,6 @@ Set to `true` to restrict user assignments to roles only. If `true` registration and last login IPs are not logged into users table, instead a dummy 127.0.0.1 is used - -#### disableProfileViewsForRegularUsers (type: `boolean`, default: `false`) - -If `true` only admin users have access to view any other user's profile. By default any user can see any other users public profile page. - #### minPasswordRequirements (type: `array`, default: `['lower' => 1, 'digit' => 1, 'upper' => 1]`) Minimum requirements when a new password is automatically generated. From 208dd29d7106cf907d1d964239f138e4ef536bf2 Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 14:21:11 +0200 Subject: [PATCH 5/7] typo --- src/User/Module.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/User/Module.php b/src/User/Module.php index 85c76dfc..35eb7f1b 100755 --- a/src/User/Module.php +++ b/src/User/Module.php @@ -185,7 +185,7 @@ class Module extends BaseModule /** * @var int $profileVisibility Defines the level of user's profile page visibility. * Defaults to ProfileController::PROFILE_VISIBILITY_OWNER meaning no-one except the user itself can view - * the profile. @see ProfileController constants for prssible options + * the profile. @see ProfileController constants for possible options */ public $profileVisibility = ProfileController::PROFILE_VISIBILITY_OWNER; /** From 420e4e0af1c64adfdf14ac77023614726fbfe183 Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 14:23:45 +0200 Subject: [PATCH 6/7] typo --- tests/_fixtures/data/user.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/_fixtures/data/user.php b/tests/_fixtures/data/user.php index e255df15..01fba29f 100644 --- a/tests/_fixtures/data/user.php +++ b/tests/_fixtures/data/user.php @@ -78,7 +78,7 @@ 'username' => 'user2fa', 'email' => 'user2faenabled@example.com', 'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui', - 'auth_key' => '08aff8636535eb934ae7aa205254ac6b', + 'auth_key' => '39HU0m5lpjWtqstFVGFjj6lFb7UZDeRq', 'auth_tf_key' => '', 'auth_tf_enabled' => true, 'auth_tf_type' => 'google-authenticator', From cf6f9db74f1a3f86d9fb36578e5ac26cddf40498 Mon Sep 17 00:00:00 2001 From: tonis Date: Fri, 8 Mar 2024 14:43:25 +0200 Subject: [PATCH 7/7] added Chengelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d6415aa..b3e119a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ - Enh #532: /user/registration/register now shows form validation errors - Enh: Allow/suggest new v3 releases of 2amigos 2fa dependencies: 2fa-library, qrcode-library (TonisOrmisson) - Enh: Added option to disable viewing any other user's profile for non-admin users (TonisOrmisson) +- Fix #546: The profile/show page must not be visible by default, implement configurable policy (TonisOrmisson) ## 1.6.2 Jan 4th, 2024