While trying to add some basic profile picture privacy filters progress was halted since there wasn't a shared location for making sure user privacy preferences where taken into account.
This PR starts to gather the filters and logic we use when viewing user profile data of user Y as user X. For now this mostly matches existing implementations previously spread across different locations. But the idea is that we should extend it with other privacy options as needed, including hiding data of inactive users, users from other events, etc.
Not quite sure how to test ApiController changes, so would be nice if some would verify that part
How it works
Any time you want to get a user object for use in a view (or other possible public facing location):
Get user object as usual
Pass it through $this->Acl->filterPrivateUserDetails($user) (or other way of accessing the ACL Component)
The user object returned has been filtered based on user privacy preferences (such as hiding phone, email, etc) and the permissions of the viewing user (same crew, leader, superuser, etc).
Use returned user as usual, but make sure to check if user properties are !empty (or similar) before accessing and outputing them
While trying to add some basic profile picture privacy filters progress was halted since there wasn't a shared location for making sure user privacy preferences where taken into account.
This PR starts to gather the filters and logic we use when viewing user profile data of user Y as user X. For now this mostly matches existing implementations previously spread across different locations. But the idea is that we should extend it with other privacy options as needed, including hiding data of inactive users, users from other events, etc.
Relates to: https://github.com/gathering/wannabe/issues/20 Combines with https://github.com/gathering/wannabe/pull/65 to improve image privacy
Not quite sure how to test ApiController changes, so would be nice if some would verify that part
How it works
Any time you want to get a user object for use in a view (or other possible public facing location):
$this->Acl->filterPrivateUserDetails($user)
(or other way of accessing the ACL Component)!empty
(or similar) before accessing and outputing them