From 5fbb01130a4d455c7f657f3b68ad0317ffa90276 Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Wed, 17 Feb 2016 22:58:31 +0100 Subject: [PATCH] By default, disallow users to set private_stream --- actions/profilesettings.php | 26 ++++++++++++++++++-------- lib/default.php | 1 + 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/actions/profilesettings.php b/actions/profilesettings.php index 21de0579b7..a1d947530c 100644 --- a/actions/profilesettings.php +++ b/actions/profilesettings.php @@ -207,13 +207,15 @@ class ProfilesettingsAction extends SettingsAction (empty($user->subscribe_policy)) ? User::SUBSCRIBE_POLICY_OPEN : $user->subscribe_policy); $this->elementEnd('li'); } - $this->elementStart('li'); - $this->checkbox('private_stream', - // TRANS: Checkbox label in profile settings. - _('Make updates visible only to my followers'), - ($this->arg('private_stream')) ? - $this->boolean('private_stream') : $user->private_stream); - $this->elementEnd('li'); + if (common_config('profile', 'allowprivate') || $user->private_stream) { + $this->elementStart('li'); + $this->checkbox('private_stream', + // TRANS: Checkbox label in profile settings. + _('Make updates visible only to my followers'), + ($this->arg('private_stream')) ? + $this->boolean('private_stream') : $user->private_stream); + $this->elementEnd('li'); + } $this->elementEnd('ul'); // TRANS: Button to save input in profile settings. $this->submit('save', _m('BUTTON','Save')); @@ -255,7 +257,6 @@ class ProfilesettingsAction extends SettingsAction $location = $this->trimmed('location'); $autosubscribe = $this->booleanintstring('autosubscribe'); $subscribe_policy = $this->trimmed('subscribe_policy'); - $private_stream = $this->booleanintstring('private_stream'); $language = $this->trimmed('language'); $timezone = $this->trimmed('timezone'); $tagstring = $this->trimmed('tags'); @@ -310,6 +311,15 @@ class ProfilesettingsAction extends SettingsAction $user = $this->scoped->getUser(); $user->query('BEGIN'); + // Only allow setting private_stream if site policy allows it + // (or user already _has_ a private stream, then you can unset it) + if (common_config('profile', 'allowprivate') || $user->private_stream) { + $private_stream = $this->booleanintstring('private_stream'); + } else { + // if not allowed, we set to the existing value + $private_stream = $user->private_stream; + } + // $user->nickname is updated through Profile->update(); // XXX: XOR diff --git a/lib/default.php b/lib/default.php index d9f377ecd7..79480483ce 100644 --- a/lib/default.php +++ b/lib/default.php @@ -129,6 +129,7 @@ $default = array('banned' => array(), 'biolimit' => null, 'changenick' => false, + 'allowprivate' => false, // whether to allow setting stream to private ("only followers can read") 'backup' => false, // can cause DoS, so should be done via CLI 'restore' => false, 'delete' => false, -- 2.39.5