Add privilege for accessing user information (#7859)

* Add view users info global privilege * Show user ip only to global mods and admins * fix missing comma * Hide link for users without correct privilege * move getting privilege information to getAllData * Hide the link from Global Moderators as well * Give Global Moderator view:users:info privilege * Restrict ip in post menu to view:users:info * add some trailing commas.... * Add privilege to categories test * Add group privilege to categories test * add upgrade script * fix style for TravisCI * more styling - change spaces to tabs * some more styling fixes (hopefully final one) * fix style for Travis CI * hide ip in chat messages * Don't show even hidden ips on user profile page
2025-10-28 09:36:16 +01:00 · 2019-09-17 18:02:52 +00:00
parent 781b3f1a9a
commit b9583ed838
10 changed files with 69 additions and 8 deletions
--- a/src/controllers/accounts/helpers.js
+++ b/src/controllers/accounts/helpers.js
@@ -31,6 +31,7 @@ helpers.getUserDataByUserSlug = async function (userslug, callerUID) {
 	const isAdmin = results.isAdmin;
 	const isGlobalModerator = results.isGlobalModerator;
 	const isModerator = results.isModerator;
+	const canViewInfo = results.canViewInfo;
 	const isSelf = parseInt(callerUID, 10) === parseInt(userData.uid, 10);

 	userData.age = Math.max(0, userData.birthday ? Math.floor((new Date().getTime() - new Date(userData.birthday).getTime()) / 31536000000) : 0);
@@ -47,7 +48,7 @@ helpers.getUserDataByUserSlug = async function (userslug, callerUID) {
 		userData.fullname = '';
 	}

-	if (isAdmin || isSelf || ((isGlobalModerator || isModerator) && !results.isTargetAdmin)) {
+	if (isAdmin || isSelf || (canViewInfo && !results.isTargetAdmin)) {
 		userData.ips = results.ips;
 	}

@@ -86,6 +87,7 @@ helpers.getUserDataByUserSlug = async function (userslug, callerUID) {
 		moderator: isModerator,
 		globalMod: isGlobalModerator,
 		admin: isAdmin,
+		canViewInfo: canViewInfo,
 	});

 	userData.sso = results.sso.associations;
@@ -129,6 +131,7 @@ async function getAllData(uid, callerUID) {
 		canEdit: privileges.users.canEdit(callerUID, uid),
 		canBanUser: privileges.users.canBanUser(callerUID, uid),
 		isBlocked: user.blocks.is(uid, callerUID),
+		canViewInfo: privileges.global.can('view:users:info', callerUID),
 	});
 }

@@ -140,9 +143,10 @@ async function getProfileMenu(uid, callerUID) {
 		visibility: {
 			self: false,
 			other: false,
-			moderator: true,
-			globalMod: true,
+			moderator: false,
+			globalMod: false,
 			admin: true,
+			canViewInfo: true,
 		},
 	}, {
 		id: 'sessions',
@@ -154,6 +158,7 @@ async function getProfileMenu(uid, callerUID) {
 			moderator: false,
 			globalMod: false,
 			admin: false,
+			canViewInfo: false,
 		},
 	}];

@@ -168,6 +173,7 @@ async function getProfileMenu(uid, callerUID) {
 				moderator: false,
 				globalMod: false,
 				admin: false,
+				canViewInfo: false,
 			},
 		});
 	}
@@ -202,6 +208,7 @@ function filterLinks(links, states) {
 			moderator: true,
 			globalMod: true,
 			admin: true,
+			canViewInfo: true,
 			...link.visibility };

 		var permit = Object.keys(states).some(function (state) {