refactor: implemented privacy checks in the GetProfileByUsername method;
refactor: reworked sql request for privacy-checking profile getter
This commit is contained in:
@@ -345,59 +345,63 @@ func (q *Queries) GetProfileByUsername(ctx context.Context, username string) (Pr
|
|||||||
return i, err
|
return i, err
|
||||||
}
|
}
|
||||||
|
|
||||||
const getProfileByUsernameRestricted = `-- name: GetProfileByUsernameRestricted :one
|
const getProfileByUsernameWithPrivacy = `-- name: GetProfileByUsernameWithPrivacy :one
|
||||||
SELECT
|
SELECT
|
||||||
users.username,
|
u.username,
|
||||||
profiles.name,
|
p.name,
|
||||||
CASE
|
p.bio,
|
||||||
WHEN profile_settings.hide_birthday OR profile_settings.hide_profile_details THEN NULL
|
p.avatar_url,
|
||||||
ELSE profiles.birthday
|
CASE WHEN ps.hide_birthday THEN NULL ELSE p.birthday END AS birthday,
|
||||||
END AS birthday,
|
p.color,
|
||||||
CASE
|
p.color_grad,
|
||||||
WHEN profile_settings.hide_profile_details THEN NULL
|
NOT ($1::text = '' AND ps.hide_for_unauthenticated) AS access_allowed
|
||||||
ELSE profiles.bio
|
FROM
|
||||||
END AS bio,
|
users AS u
|
||||||
CASE
|
JOIN profiles AS p ON u.id = p.user_id
|
||||||
WHEN profile_settings.hide_profile_details THEN NULL
|
JOIN profile_settings AS ps ON p.id = ps.profile_id
|
||||||
ELSE profiles.avatar_url
|
WHERE
|
||||||
END AS avatar_url,
|
u.username = $2::text
|
||||||
profiles.color,
|
AND (
|
||||||
profiles.color_grad,
|
$2::text = $1::text
|
||||||
profile_settings.hide_profile_details
|
OR
|
||||||
FROM profiles
|
u.deleted IS FALSE
|
||||||
JOIN users ON users.id = profiles.user_id
|
AND u.verified IS TRUE
|
||||||
JOIN profile_settings ON profiles.id = profile_settings.profile_id
|
AND NOT EXISTS (
|
||||||
WHERE users.username = $1 AND ($2 IS FALSE OR profile_settings.hide_for_unauthenticated IS FALSE)
|
SELECT 1
|
||||||
|
FROM banned_users
|
||||||
|
WHERE user_id = u.id
|
||||||
|
)
|
||||||
|
)
|
||||||
`
|
`
|
||||||
|
|
||||||
type GetProfileByUsernameRestrictedParams struct {
|
type GetProfileByUsernameWithPrivacyParams struct {
|
||||||
Username string
|
Requester string
|
||||||
Column2 *bool
|
SearchedUsername string
|
||||||
}
|
}
|
||||||
|
|
||||||
type GetProfileByUsernameRestrictedRow struct {
|
type GetProfileByUsernameWithPrivacyRow struct {
|
||||||
Username string
|
Username string
|
||||||
Name string
|
Name string
|
||||||
|
Bio string
|
||||||
|
AvatarUrl string
|
||||||
Birthday pgtype.Timestamp
|
Birthday pgtype.Timestamp
|
||||||
Bio *string
|
|
||||||
AvatarUrl *string
|
|
||||||
Color string
|
Color string
|
||||||
ColorGrad string
|
ColorGrad string
|
||||||
HideProfileDetails bool
|
AccessAllowed *bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func (q *Queries) GetProfileByUsernameRestricted(ctx context.Context, arg GetProfileByUsernameRestrictedParams) (GetProfileByUsernameRestrictedRow, error) {
|
func (q *Queries) GetProfileByUsernameWithPrivacy(ctx context.Context, arg GetProfileByUsernameWithPrivacyParams) (GetProfileByUsernameWithPrivacyRow, error) {
|
||||||
row := q.db.QueryRow(ctx, getProfileByUsernameRestricted, arg.Username, arg.Column2)
|
row := q.db.QueryRow(ctx, getProfileByUsernameWithPrivacy, arg.Requester, arg.SearchedUsername)
|
||||||
var i GetProfileByUsernameRestrictedRow
|
var i GetProfileByUsernameWithPrivacyRow
|
||||||
err := row.Scan(
|
err := row.Scan(
|
||||||
&i.Username,
|
&i.Username,
|
||||||
&i.Name,
|
&i.Name,
|
||||||
&i.Birthday,
|
|
||||||
&i.Bio,
|
&i.Bio,
|
||||||
&i.AvatarUrl,
|
&i.AvatarUrl,
|
||||||
|
&i.Birthday,
|
||||||
&i.Color,
|
&i.Color,
|
||||||
&i.ColorGrad,
|
&i.ColorGrad,
|
||||||
&i.HideProfileDetails,
|
&i.AccessAllowed,
|
||||||
)
|
)
|
||||||
return i, err
|
return i, err
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -70,7 +70,6 @@ func (p *profileServiceImpl) GetMyProfile(cinfo dto.ClientInfo) (*dto.ProfileDto
|
|||||||
return profileDto, nil
|
return profileDto, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Profile privacy settings checks
|
|
||||||
func (p *profileServiceImpl) GetProfileByUsername(cinfo dto.ClientInfo, username string) (*dto.ProfileDto, error) {
|
func (p *profileServiceImpl) GetProfileByUsername(cinfo dto.ClientInfo, username string) (*dto.ProfileDto, error) {
|
||||||
helper, db, err := database.NewDbHelperTransaction(p.dbctx); if err != nil {
|
helper, db, err := database.NewDbHelperTransaction(p.dbctx); if err != nil {
|
||||||
p.log.Error(
|
p.log.Error(
|
||||||
@@ -80,7 +79,10 @@ func (p *profileServiceImpl) GetProfileByUsername(cinfo dto.ClientInfo, username
|
|||||||
}
|
}
|
||||||
defer helper.Rollback()
|
defer helper.Rollback()
|
||||||
|
|
||||||
profile, err := db.TXQueries.GetProfileByUsername(db.CTX, username); if err != nil {
|
profileRow, err := db.TXQueries.GetProfileByUsernameWithPrivacy(db.CTX, database.GetProfileByUsernameWithPrivacyParams{
|
||||||
|
Requester: cinfo.Username,
|
||||||
|
SearchedUsername: username,
|
||||||
|
}); if err != nil {
|
||||||
if errors.Is(err, pgx.ErrNoRows) {
|
if errors.Is(err, pgx.ErrNoRows) {
|
||||||
return nil, errs.ErrNotFound
|
return nil, errs.ErrNotFound
|
||||||
}
|
}
|
||||||
@@ -92,8 +94,18 @@ func (p *profileServiceImpl) GetProfileByUsername(cinfo dto.ClientInfo, username
|
|||||||
return nil, errs.ErrServerError
|
return nil, errs.ErrServerError
|
||||||
}
|
}
|
||||||
|
|
||||||
profileDto := &dto.ProfileDto{}
|
if !*profileRow.AccessAllowed {
|
||||||
mapspecial.MapProfileDto(profile, profileDto)
|
return nil, errs.ErrForbidden
|
||||||
|
}
|
||||||
|
|
||||||
|
profileDto := &dto.ProfileDto{
|
||||||
|
Name: profileRow.Name,
|
||||||
|
Bio: profileRow.Bio,
|
||||||
|
AvatarUrl: &profileRow.AvatarUrl,
|
||||||
|
Birthday: profileRow.Birthday.Time.UnixMilli(),
|
||||||
|
Color: profileRow.Color,
|
||||||
|
ColorGrad: profileRow.ColorGrad,
|
||||||
|
}
|
||||||
|
|
||||||
return profileDto, nil
|
return profileDto, nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -296,29 +296,33 @@ SELECT profiles.* FROM profiles
|
|||||||
JOIN users ON users.id = profiles.user_id
|
JOIN users ON users.id = profiles.user_id
|
||||||
WHERE users.username = $1;
|
WHERE users.username = $1;
|
||||||
|
|
||||||
;-- name: GetProfileByUsernameRestricted :one
|
;-- name: GetProfileByUsernameWithPrivacy :one
|
||||||
SELECT
|
SELECT
|
||||||
users.username,
|
u.username,
|
||||||
profiles.name,
|
p.name,
|
||||||
CASE
|
p.bio,
|
||||||
WHEN profile_settings.hide_birthday OR profile_settings.hide_profile_details THEN NULL
|
p.avatar_url,
|
||||||
ELSE profiles.birthday
|
CASE WHEN ps.hide_birthday THEN NULL ELSE p.birthday END AS birthday,
|
||||||
END AS birthday,
|
p.color,
|
||||||
CASE
|
p.color_grad,
|
||||||
WHEN profile_settings.hide_profile_details THEN NULL
|
NOT (@requester::text = '' AND ps.hide_for_unauthenticated) AS access_allowed
|
||||||
ELSE profiles.bio
|
FROM
|
||||||
END AS bio,
|
users AS u
|
||||||
CASE
|
JOIN profiles AS p ON u.id = p.user_id
|
||||||
WHEN profile_settings.hide_profile_details THEN NULL
|
JOIN profile_settings AS ps ON p.id = ps.profile_id
|
||||||
ELSE profiles.avatar_url
|
WHERE
|
||||||
END AS avatar_url,
|
u.username = @searched_username::text
|
||||||
profiles.color,
|
AND (
|
||||||
profiles.color_grad,
|
@searched_username::text = @requester::text
|
||||||
profile_settings.hide_profile_details
|
OR
|
||||||
FROM profiles
|
u.deleted IS FALSE
|
||||||
JOIN users ON users.id = profiles.user_id
|
AND u.verified IS TRUE
|
||||||
JOIN profile_settings ON profiles.id = profile_settings.profile_id
|
AND NOT EXISTS (
|
||||||
WHERE users.username = $1 AND ($2 IS FALSE OR profile_settings.hide_for_unauthenticated IS FALSE);
|
SELECT 1
|
||||||
|
FROM banned_users
|
||||||
|
WHERE user_id = u.id
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
;-- name: GetProfilesRestricted :many
|
;-- name: GetProfilesRestricted :many
|
||||||
SELECT
|
SELECT
|
||||||
|
|||||||
Reference in New Issue
Block a user