Restrict viewing user profile pages to registered users only, but

provide a "show_user_profiles_to" setting to allow admins to open it
up to everybody (choices there are "registered_users", "admin_users"
or "everybody").  Fixes ticket #1378.

installer/install.sql

@@ -244,7 +244,7 @@ CREATE TABLE {modules} (
   KEY `weight` (`weight`)
 ) AUTO_INCREMENT=11 DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
-INSERT INTO {modules} VALUES (1,1,'gallery',38,1);
+INSERT INTO {modules} VALUES (1,1,'gallery',39,1);
 INSERT INTO {modules} VALUES (2,1,'user',3,2);
 INSERT INTO {modules} VALUES (3,1,'comment',3,3);
 INSERT INTO {modules} VALUES (4,1,'organize',2,4);
@@ -395,7 +395,7 @@ CREATE TABLE {vars} (
   `value` text,
   PRIMARY KEY (`id`),
   UNIQUE KEY `module_name` (`module_name`,`name`)
-) AUTO_INCREMENT=49 DEFAULT CHARSET=utf8;
+) AUTO_INCREMENT=50 DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 INSERT INTO {vars} VALUES (NULL,'gallery','active_site_theme','wind');
 INSERT INTO {vars} VALUES (NULL,'gallery','active_admin_theme','admin_wind');
@@ -422,6 +422,7 @@ INSERT INTO {vars} VALUES (NULL,'gallery','email_reply_to','unknown@unknown.com'
 INSERT INTO {vars} VALUES (NULL,'gallery','choose_default_tookit','1');
 INSERT INTO {vars} VALUES (NULL,'gallery','email_line_length','70');
 INSERT INTO {vars} VALUES (NULL,'gallery','email_header_separator','s:1:\"\n\";');
+INSERT INTO {vars} VALUES (NULL,'gallery','show_user_profiles_to','registered_users');
 INSERT INTO {vars} VALUES (NULL,'comment','spam_caught','0');
 INSERT INTO {vars} VALUES (NULL,'comment','access_permissions','everybody');
 INSERT INTO {vars} VALUES (NULL,'gallery','blocks_site_sidebar','a:4:{i:9;a:2:{i:0;s:7:\"gallery\";i:1;s:8:\"language\";}i:10;a:2:{i:0;s:4:\"info\";i:1;s:8:\"metadata\";}i:11;a:2:{i:0;s:3:\"rss\";i:1;s:9:\"rss_feeds\";}i:12;a:2:{i:0;s:3:\"tag\";i:1;s:3:\"tag\";}}');

modules/gallery/controllers/user_profile.php

@@ -18,13 +18,18 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class User_Profile_Controller extends Controller {
+
   public function show($id) {
     // If we get here, then we should have a user id other than guest.
     $user = identity::lookup_user($id);
     if (!$user) {
       throw new Kohana_404_Exception();
     }
 
+    if (!$this->_can_view_profile_pages($user)) {
+      throw new Kohana_404_Exception();
+    }
+
     $v = new Theme_View("page.html", "other", "profile");
     $v->page_title = t("%name Profile", array("name" => $user->display_name()));
     $v->content = new View("user_profile.html");
@@ -44,12 +49,20 @@ public function show($id) {
 
   public function contact($id) {
     $user = identity::lookup_user($id);
+    if (!$this->_can_view_profile_pages($user)) {
+      throw new Kohana_404_Exception();
+    }
+
     print user_profile::get_contact_form($user);
   }
 
   public function send($id) {
     access::verify_csrf();
     $user = identity::lookup_user($id);
+    if (!$this->_can_view_profile_pages($user)) {
+      throw new Kohana_404_Exception();
+    }
+
     $form = user_profile::get_contact_form($user);
     if ($form->validate()) {
       Sendmail::factory()
@@ -66,4 +79,30 @@ public function send($id) {
       json::reply(array("result" => "error", "html" => (string)$form));
     }
   }
+
+  private function _can_view_profile_pages($user) {
+    if (!$user->loaded()) {
+      return false;
+    }
+
+    if ($user->id == identity::active_user()->id) {
+      // You can always view your own profile
+      return true;
+    }
+
+    switch (module::get_var("gallery", "show_user_profiles_to")) {
+    case "admin_users":
+      return identity::active_user()->admin;
+
+    case "registered_users":
+      return !identity::active_user()->guest;
+
+    case "everybody":
+      return true;
+
+    default:
+      // Fail in private mode on an invalid setting
+      return false;
+    }
+  }
 }

modules/gallery/helpers/gallery_installer.php

@@ -302,14 +302,13 @@ static function install() {
     module::set_var("gallery", "maintenance_mode", 0);
     module::set_var("gallery", "visible_title_length", 15);
     module::set_var("gallery", "favicon_url", "lib/images/favicon.ico");
-
-    // Sendmail configuration
     module::set_var("gallery", "email_from", "");
     module::set_var("gallery", "email_reply_to", "");
     module::set_var("gallery", "email_line_length", 70);
     module::set_var("gallery", "email_header_separator", serialize("\n"));
+    module::set_var("gallery", "show_user_profiles_to", "registered_users");
 
-    module::set_version("gallery", 38);
+    module::set_version("gallery", 39);
   }
 
   static function upgrade($version) {
@@ -627,6 +626,11 @@ static function upgrade($version) {
       }
       module::set_version("gallery", $version = 38);
     }
+
+    if ($version == 38) {
+      module::set_var("gallery", "show_user_profiles_to", "registered_users");
+      module::set_version("gallery", $version = 39);
+    }
   }
 
   static function uninstall() {

modules/gallery/module.info

@@ -1,3 +1,3 @@
 name = "Gallery 3"
 description = "Gallery core application"
-version = 38
+version = 39