Deny to view a public content from private container

2025-04-21 07:31:53 +02:00 · 2023-03-24 15:15:34 +03:00 · 2023-03-24 15:15:34 +03:00 · d06760f422
commit d06760f422
parent bb0d8a5f1f
4 changed files with 63 additions and 4 deletions
--- a/protected/humhub/modules/content/components/ContentContainerActiveRecord.php
+++ b/protected/humhub/modules/content/components/ContentContainerActiveRecord.php
@ -158,6 +158,17 @@ abstract class ContentContainerActiveRecord extends ActiveRecord
        return false;
    }

+    /**
+     * Checks if the user is allowed to view a content in this container
+     *
+     * @param User|null $user
+     * @return bool
+     */
+    public function canView(?User $user = null): bool
+    {
+        return false;
+    }
+
    /**
     * Returns the wall output for this content container.
     * This is e.g. used in search results.
--- a/protected/humhub/modules/content/models/Content.php
+++ b/protected/humhub/modules/content/models/Content.php
@ -859,13 +859,17 @@ class Content extends ActiveRecord implements Movable, ContentOwner
            return $this->checkGuestAccess();
        }

-        // Public visible content
-        if ($this->isPublic()) {
+        // Check system admin can see all content module configuration
+        if ($user->canViewAllContent()) {
            return true;
        }

-        // Check system admin can see all content module configuration
-        if ($user->canViewAllContent()) {
+        if ($this->getContainer() !== null && !$this->getContainer()->canView($user)) {
+            return false;
+        }
+
+        // Public visible content
+        if ($this->isPublic()) {
            return true;
        }

--- a/protected/humhub/modules/space/models/Space.php
+++ b/protected/humhub/modules/space/models/Space.php
@ -515,6 +515,28 @@ class Space extends ContentContainerActiveRecord implements Searchable
        return ($this->isMember($user));
    }

+    /**
+     * @inheritdoc
+     */
+    public function canView(?User $user = null): bool
+    {
+        if ($this->visibility === Space::VISIBILITY_ALL) {
+            return true;
+        }
+
+        $user = !$user && !Yii::$app->user->isGuest ? Yii::$app->user->getIdentity() : $user;
+
+        if (!$user) {
+            return false;
+        }
+
+        if ($this->visibility === Space::VISIBILITY_REGISTERED_ONLY) {
+            return true;
+        }
+
+        return $this->visibility === Space::VISIBILITY_NONE && $this->canAccessPrivateContent($user);
+    }
+
    /**
     * @inheritdoc
     */
--- a/protected/humhub/modules/user/models/User.php
+++ b/protected/humhub/modules/user/models/User.php
@ -743,6 +743,28 @@ class User extends ContentContainerActiveRecord implements IdentityInterface, Se
        return false;
    }

+    /**
+     * @inheritdoc
+     */
+    public function canView(?User $user = null): bool
+    {
+        if ($this->visibility === User::VISIBILITY_ALL) {
+            return true;
+        }
+
+        $user = !$user && !Yii::$app->user->isGuest ? Yii::$app->user->getIdentity() : $user;
+
+        if (!$user) {
+            return false;
+        }
+
+        if ($this->visibility === User::VISIBILITY_REGISTERED_ONLY) {
+            return true;
+        }
+
+        return $this->visibility === User::VISIBILITY_HIDDEN && $this->canAccessPrivateContent($user);
+    }
+
    /**
     * Checks if the user is allowed to view all content
     *