From a37e6f78ea3c9d987d4501d4816d96283629ab27 Mon Sep 17 00:00:00 2001
From: Yuriy Bakhtin <yurabakhtin@users.noreply.github.com>
Date: Wed, 11 Jan 2023 13:13:30 +0400
Subject: [PATCH] Fix user visibility filter for guest (#6036)

---
 .../user/components/ActiveQueryUser.php       | 27 +++++++++++--------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/protected/humhub/modules/user/components/ActiveQueryUser.php b/protected/humhub/modules/user/components/ActiveQueryUser.php
index c388a07c0c..7f045aa400 100644
--- a/protected/humhub/modules/user/components/ActiveQueryUser.php
+++ b/protected/humhub/modules/user/components/ActiveQueryUser.php
@@ -74,6 +74,8 @@ class ActiveQueryUser extends AbstractActiveQueryContentContainer
     {
         $this->trigger(self::EVENT_CHECK_VISIBILITY, new ActiveQueryEvent(['query' => $this]));
 
+        $this->active();
+
         if ($user === null && !Yii::$app->user->isGuest) {
             try {
                 $user = Yii::$app->user->getIdentity();
@@ -83,19 +85,22 @@ class ActiveQueryUser extends AbstractActiveQueryContentContainer
         }
 
         $allowedVisibilities = [UserModel::VISIBILITY_ALL];
-        if ($user !== null) {
-            if ((new PermissionManager(['subject' => $user]))->can(ManageUsers::class)) {
-                return $this;
-            }
-
-            $allowedVisibilities[] = UserModel::VISIBILITY_REGISTERED_ONLY;
+        if ($user === null) {
+            // Guest can view only public users
+            return $this->andWhere(['IN', 'user.visibility', $allowedVisibilities]);
         }
 
-        return $this->active()
-            ->andWhere(['OR',
-                ['user.id' => $user->id], // User can view own profile
-                ['IN', 'user.visibility', $allowedVisibilities]
-            ]);
+        if ((new PermissionManager(['subject' => $user]))->can(ManageUsers::class)) {
+            // Admin/manager can view users with any visibility status
+            return $this;
+        }
+
+        $allowedVisibilities[] = UserModel::VISIBILITY_REGISTERED_ONLY;
+
+        return $this->andWhere(['OR',
+            ['user.id' => $user->id], // User also can view own profile
+            ['IN', 'user.visibility', $allowedVisibilities]
+        ]);
     }