Fix user visibility filter for guest (#6036)

2025-01-17 14:18:27 +01:00 · 2023-01-11 13:13:30 +04:00 · 2023-01-11 13:13:30 +04:00 · a37e6f78ea
commit a37e6f78ea
parent 85767eb055
1 changed files with 16 additions and 11 deletions
--- a/protected/humhub/modules/user/components/ActiveQueryUser.php
+++ b/protected/humhub/modules/user/components/ActiveQueryUser.php
@ -74,6 +74,8 @@ class ActiveQueryUser extends AbstractActiveQueryContentContainer
    {
        $this->trigger(self::EVENT_CHECK_VISIBILITY, new ActiveQueryEvent(['query' => $this]));
        $this->active();
        if ($user === null && !Yii::$app->user->isGuest) {
            try {
                $user = Yii::$app->user->getIdentity();
@ -83,19 +85,22 @@ class ActiveQueryUser extends AbstractActiveQueryContentContainer
        }
        $allowedVisibilities = [UserModel::VISIBILITY_ALL];
-        if ($user !== null) {
+        if ($user === null) {
-            if ((new PermissionManager(['subject' => $user]))->can(ManageUsers::class)) {
+            // Guest can view only public users
-                return $this;
+            return $this->andWhere(['IN', 'user.visibility', $allowedVisibilities]);
            }
            $allowedVisibilities[] = UserModel::VISIBILITY_REGISTERED_ONLY;
        }
-        return $this->active()
+        if ((new PermissionManager(['subject' => $user]))->can(ManageUsers::class)) {
-            ->andWhere(['OR',
+            // Admin/manager can view users with any visibility status
-                ['user.id' => $user->id], // User can view own profile
+            return $this;
-                ['IN', 'user.visibility', $allowedVisibilities]
+        }
-            ]);
+
        $allowedVisibilities[] = UserModel::VISIBILITY_REGISTERED_ONLY;
        return $this->andWhere(['OR',
            ['user.id' => $user->id], // User also can view own profile
            ['IN', 'user.visibility', $allowedVisibilities]
        ]);
    }