fix(conversations): Allow accessing avatars of listable conversations

Signed-off-by: Joas Schilling <coding@schilljs.com>
2025-12-18 05:20:50 +01:00 · 2023-08-16 10:10:10 +02:00 · 2023-08-16 10:10:10 +02:00 · 5b2c885630
commit 5b2c885630
parent 08aa3ae18b
4 changed files with 78 additions and 7 deletions
--- a/lib/Controller/AvatarController.php
+++ b/lib/Controller/AvatarController.php
@ -28,7 +28,7 @@ namespace OCA\Talk\Controller;

 use InvalidArgumentException;
 use OCA\Talk\Middleware\Attribute\RequireModeratorParticipant;
-use OCA\Talk\Middleware\Attribute\RequireParticipant;
+use OCA\Talk\Middleware\Attribute\RequireParticipantOrLoggedInAndListedConversation;
 use OCA\Talk\Service\AvatarService;
 use OCA\Talk\Service\RoomFormatter;
 use OCP\AppFramework\Http;
@ -102,7 +102,7 @@ class AvatarController extends AEnvironmentAwareController {

 	#[PublicPage]
 	#[NoCSRFRequired]
-	#[RequireParticipant]
+	#[RequireParticipantOrLoggedInAndListedConversation]
 	public function getAvatar(bool $darkTheme = false): Response {
 		$file = $this->avatarService->getAvatar($this->getRoom(), $this->userSession->getUser(), $darkTheme);

@ -115,7 +115,7 @@ class AvatarController extends AEnvironmentAwareController {

 	#[PublicPage]
 	#[NoCSRFRequired]
-	#[RequireParticipant]
+	#[RequireParticipantOrLoggedInAndListedConversation]
 	public function getAvatarDark(): Response {
 		return $this->getAvatar(true);
 	}
--- a/lib/Middleware/Attribute/RequireParticipantOrLoggedInAndListedConversation.php
+++ b/lib/Middleware/Attribute/RequireParticipantOrLoggedInAndListedConversation.php
@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
+ *
+ * @author Joas Schilling <coding@schilljs.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace OCA\Talk\Middleware\Attribute;
+
+use Attribute;
+
+#[Attribute(Attribute::TARGET_METHOD)]
+class RequireParticipantOrLoggedInAndListedConversation extends RequireRoom {
+}
--- a/lib/Middleware/InjectionMiddleware.php
+++ b/lib/Middleware/InjectionMiddleware.php
@ -33,6 +33,7 @@ use OCA\Talk\Middleware\Attribute\RequireLoggedInParticipant;
 use OCA\Talk\Middleware\Attribute\RequireModeratorOrNoLobby;
 use OCA\Talk\Middleware\Attribute\RequireModeratorParticipant;
 use OCA\Talk\Middleware\Attribute\RequireParticipant;
+use OCA\Talk\Middleware\Attribute\RequireParticipantOrLoggedInAndListedConversation;
 use OCA\Talk\Middleware\Attribute\RequirePermission;
 use OCA\Talk\Middleware\Attribute\RequireReadWriteConversation;
 use OCA\Talk\Middleware\Attribute\RequireRoom;
@ -96,6 +97,10 @@ class InjectionMiddleware extends Middleware {
 			$this->getLoggedIn($controller, true);
 		}

+		if (!empty($reflectionMethod->getAttributes(RequireParticipantOrLoggedInAndListedConversation::class))) {
+			$this->getLoggedInOrGuest($controller, false, true);
+		}
+
 		if (!empty($reflectionMethod->getAttributes(RequireParticipant::class))) {
 			$this->getLoggedInOrGuest($controller, false);
 		}
@ -157,10 +162,11 @@ class InjectionMiddleware extends Middleware {
 	/**
 	 * @param AEnvironmentAwareController $controller
 	 * @param bool $moderatorRequired
+	 * @param bool $requireListedWhenNoParticipant
 	 * @throws NotAModeratorException
 	 * @throws ParticipantNotFoundException
 	 */
-	protected function getLoggedInOrGuest(AEnvironmentAwareController $controller, bool $moderatorRequired): void {
+	protected function getLoggedInOrGuest(AEnvironmentAwareController $controller, bool $moderatorRequired, bool $requireListedWhenNoParticipant = false): void {
 		$room = $controller->getRoom();
 		if (!$room instanceof Room) {
 			$token = $this->request->getParam('token');
@ -175,6 +181,7 @@ class InjectionMiddleware extends Middleware {
 			if ($sessionId !== null) {
 				try {
 					$participant = $this->participantService->getParticipantBySession($room, $sessionId);
+					$controller->setParticipant($participant);
 				} catch (ParticipantNotFoundException $e) {
 					// ignore and fall back in case a concurrent request might have
 					// invalidated the session
@ -182,10 +189,11 @@ class InjectionMiddleware extends Middleware {
 			}

 			if ($participant === null) {
-				$participant = $this->participantService->getParticipant($room, $this->userId);
+				if (!$requireListedWhenNoParticipant || !$this->manager->isRoomListableByUser($room, $this->userId)) {
+					$participant = $this->participantService->getParticipant($room, $this->userId);
+					$controller->setParticipant($participant);
+				}
 			}
-
-			$controller->setParticipant($participant);
 		}

 		if ($moderatorRequired && !$participant->hasModeratorPermissions()) {
--- a/tests/integration/features/conversation/avatar.feature
+++ b/tests/integration/features/conversation/avatar.feature
@ -2,6 +2,8 @@ Feature: conversation/avatar
  Background:
    Given user "participant1" exists
    Given user "participant2" exists
+    And guest accounts can be created
+    And user "user-guest@example.com" is a guest account user

  Scenario: Misteps
    Given user "participant1" creates room "room1" (v4)
@ -44,6 +46,35 @@ Feature: conversation/avatar
      | avatarVersion | NOT_EMPTY |
      | isCustomAvatar | 0 |

+  Scenario: Get avatar of conversation without being a participant
+    Given user "participant1" creates room "room3" (v4)
+      | roomType | 3 |
+      | roomName | room3 |
+    Then the room "room3" has an avatar with 200
+    And user "participant1" gets room "room3" with 200 (v4)
+      | avatarVersion | NOT_EMPTY |
+      | isCustomAvatar | 0 |
+    And as user "participant2"
+    And the room "room3" has an avatar with 404
+    And as user "user-guest@example.com"
+    And the room "room3" has an avatar with 404
+    And as user "guest"
+    And the room "room3" has an avatar with 404
+    When user "participant1" allows listing room "room3" for "users" with 200 (v4)
+    And as user "participant2"
+    And the room "room3" has an avatar with 200
+    And as user "user-guest@example.com"
+    And the room "room3" has an avatar with 404
+    And as user "guest"
+    And the room "room3" has an avatar with 404
+    When user "participant1" allows listing room "room3" for "all" with 200 (v4)
+    And as user "participant2"
+    And the room "room3" has an avatar with 200
+    And as user "user-guest@example.com"
+    And the room "room3" has an avatar with 200
+    And as user "guest"
+    And the room "room3" has an avatar with 404
+
  Scenario: Get avatar of one2one without custom avatar (fallback)
    When user "participant1" creates room "one2one" (v4)
      | roomType | 1 |