From f169dcbbb21e11315b732219c9b97d2ae72e42fe Mon Sep 17 00:00:00 2001
From: Miguel Pellicer <mpellicer@entornosdeformacion.com>
Date: Mon, 15 May 2023 12:40:50 +0200
Subject: [PATCH] SAK-48657 Profile: Restrict photos to site members only
 (#11370)

---
 .../profile2/logic/SakaiProxy.java            | 19 +++++++++++
 .../profile2/util/ProfileConstants.java       |  5 +--
 .../profile2/logic/SakaiProxyImpl.java        | 32 +++++++++++++++++++
 .../entityprovider/ProfileEntityProvider.java | 32 +++++++++++++++++--
 4 files changed, 83 insertions(+), 5 deletions(-)

diff --git a/profile2/api/src/java/org/sakaiproject/profile2/logic/SakaiProxy.java b/profile2/api/src/java/org/sakaiproject/profile2/logic/SakaiProxy.java
index 016439a93c4b..e0680a68f869 100644
--- a/profile2/api/src/java/org/sakaiproject/profile2/logic/SakaiProxy.java
+++ b/profile2/api/src/java/org/sakaiproject/profile2/logic/SakaiProxy.java
@@ -1094,4 +1094,23 @@ public interface SakaiProxy {
 	 * @return the name pronunciation duration in seconds. 10 seconds if it is not configured in sakai.properties
 	 */
 	public int getNamePronunciationDuration();
+
+	/**
+	 * Check if a user is member of a site
+	 *
+	 * @param userId userId of user to check membership
+	 * @param siteId id of site
+	 * @return true if the user is member of that site
+	 */
+	public boolean isUserMemberOfSite(String userId, String siteId);
+
+	/**
+	 * Check if two users have any site membership in common
+	 *
+	 * @param userId1 userId of user to check membership
+	 * @param userId2 userId of user to check membership
+	 * @return true if both users are members of one common site
+	 */
+	public boolean areUsersMembersOfSameSite(String userId1, String userId2);
+
 }
diff --git a/profile2/api/src/java/org/sakaiproject/profile2/util/ProfileConstants.java b/profile2/api/src/java/org/sakaiproject/profile2/util/ProfileConstants.java
index b4d413c50e5d..0d4bb1e3fe29 100644
--- a/profile2/api/src/java/org/sakaiproject/profile2/util/ProfileConstants.java
+++ b/profile2/api/src/java/org/sakaiproject/profile2/util/ProfileConstants.java
@@ -352,8 +352,9 @@ public class ProfileConstants {
 	public static final String EVENT_WALL_ITEM_NEW = "profile.wall.item.new";
 	public static final String EVENT_WALL_ITEM_REMOVE = "profile.wall.item.remove";
 	public static final String EVENT_WALL_ITEM_COMMENT_NEW = "profile.wall.item.comment.new";
-	
-	
+
+	public static final String EVENT_IMAGE_REQUEST = "profile.image.request";
+
 	/*
 	 * ENTITY
 	 */
diff --git a/profile2/impl/src/java/org/sakaiproject/profile2/logic/SakaiProxyImpl.java b/profile2/impl/src/java/org/sakaiproject/profile2/logic/SakaiProxyImpl.java
index ea234357cc64..fcabc5dc9584 100644
--- a/profile2/impl/src/java/org/sakaiproject/profile2/logic/SakaiProxyImpl.java
+++ b/profile2/impl/src/java/org/sakaiproject/profile2/logic/SakaiProxyImpl.java
@@ -1718,6 +1718,38 @@ public int getNamePronunciationDuration() {
 		return this.serverConfigurationService.getInt("profile2.profile.name.pronunciation.duration", 10);
 	}
 
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public boolean isUserMemberOfSite(final String userId, final String siteId){
+		try {
+			return this.siteService.getSite(siteId).getUserRole(userId) != null;
+		} catch (IdUnusedException e) {
+			return false;
+		}
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public boolean areUsersMembersOfSameSite(final String userId1, final String userId2){
+		if (StringUtils.equals(userId1, userId2)) {
+			return true;
+		}
+		
+		try {
+			List<Site> sitesUser1 = siteService.getUserSites(false, userId1);
+			List<Site> sitesUser2 = siteService.getUserSites(false, userId2);
+			List<Site> coincidences = new ArrayList<>(sitesUser1);
+			coincidences.retainAll(sitesUser2);
+			return coincidences.size() > 0;
+		} catch (Exception ex) {
+			return false;
+		}
+	}
+
 	/**
 	 * init
 	 */
diff --git a/profile2/tool/src/java/org/sakaiproject/profile2/tool/entityprovider/ProfileEntityProvider.java b/profile2/tool/src/java/org/sakaiproject/profile2/tool/entityprovider/ProfileEntityProvider.java
index 0f19503b1725..24bbc311e994 100644
--- a/profile2/tool/src/java/org/sakaiproject/profile2/tool/entityprovider/ProfileEntityProvider.java
+++ b/profile2/tool/src/java/org/sakaiproject/profile2/tool/entityprovider/ProfileEntityProvider.java
@@ -124,9 +124,10 @@ public Object getProfileImage(OutputStream out, EntityView view, Map<String,Obje
 		
 		final String id = ref.getId();
 
-        final boolean wantsBlank = id.equals(ProfileConstants.BLANK);
+        boolean wantsBlank = id.equals(ProfileConstants.BLANK);
 
         String uuid = "";
+        String currentUserId = sakaiProxy.getCurrentUserId();
 
         if(!wantsBlank) {
 		    //convert input to uuid
@@ -158,7 +159,28 @@ public Object getProfileImage(OutputStream out, EntityView view, Map<String,Obje
 		if(StringUtils.isNotBlank(siteId) && !sakaiProxy.checkForSite(siteId)){
 			throw new EntityNotFoundException("Invalid siteId: " + siteId, ref.getReference());
 		}
-		
+
+		// First of all, check if the current user is admin. If current user is admin, show all the pictures always
+		if (sakaiProxy.isAdminUser()) {
+			wantsBlank = false;
+		} else if (StringUtils.isBlank(siteId)) {
+			// No site id is specified, checking if both users have any site in common
+			if (!sakaiProxy.areUsersMembersOfSameSite(currentUserId, uuid)) {
+				// No sites in common, so serving a blank image
+				wantsBlank = true;
+			}
+		} else {
+			// Site id is specified, checking if both users are members of that site
+			if (!sakaiProxy.isUserMemberOfSite(currentUserId, siteId)) {
+				// Current user is not a member of the specified site, so serving a blank image
+				wantsBlank = true;
+			}
+			if (!sakaiProxy.isUserMemberOfSite(uuid, siteId)) {
+				// Requested user is not a member of the specified site, so serving a blank image
+				wantsBlank = true;
+			}
+		}
+
         if(wantsBlank) {
             image = imageLogic.getBlankProfileImage();
         } else {
@@ -180,7 +202,11 @@ public Object getProfileImage(OutputStream out, EntityView view, Map<String,Obje
 		if(image == null) {
 			throw new EntityNotFoundException("No profile image for " + id, ref.getReference());
 		}
-		
+
+		if (!StringUtils.equals(currentUserId, uuid)) {
+			sakaiProxy.postEvent(ProfileConstants.EVENT_IMAGE_REQUEST, "/profile/" + currentUserId + "/imagerequest/" + uuid, false);
+		}
+
 		//check for binary
 		final byte[] bytes = image.getBinary();
 		if(bytes != null && bytes.length > 0) {