privacy/security: add PM privacy levels and improve session visibility
All checks were successful
CI / test (push) Successful in 24s
All checks were successful
CI / test (push) Successful in 24s
This commit is contained in:
@@ -24,6 +24,7 @@ class User(Base):
|
||||
bio: Mapped[str | None] = mapped_column(String(500), nullable=True)
|
||||
email_verified: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False, index=True)
|
||||
allow_private_messages: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False, server_default="true")
|
||||
privacy_private_messages: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
|
||||
privacy_last_seen: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
|
||||
privacy_avatar: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
|
||||
privacy_group_invites: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
|
||||
|
||||
@@ -67,6 +67,7 @@ async def update_profile(
|
||||
bio=payload.bio,
|
||||
avatar_url=payload.avatar_url,
|
||||
allow_private_messages=payload.allow_private_messages,
|
||||
privacy_private_messages=payload.privacy_private_messages,
|
||||
privacy_last_seen=payload.privacy_last_seen,
|
||||
privacy_avatar=payload.privacy_avatar,
|
||||
privacy_group_invites=payload.privacy_group_invites,
|
||||
|
||||
@@ -6,6 +6,7 @@ from typing import Literal
|
||||
|
||||
PrivacyLevel = Literal["everyone", "contacts", "nobody"]
|
||||
GroupInvitePrivacyLevel = Literal["everyone", "contacts"]
|
||||
PrivateMessagesPrivacyLevel = Literal["everyone", "contacts", "nobody"]
|
||||
|
||||
|
||||
class UserBase(BaseModel):
|
||||
@@ -26,6 +27,7 @@ class UserRead(UserBase):
|
||||
bio: str | None = None
|
||||
email_verified: bool
|
||||
allow_private_messages: bool
|
||||
privacy_private_messages: PrivateMessagesPrivacyLevel = "everyone"
|
||||
privacy_last_seen: PrivacyLevel = "everyone"
|
||||
privacy_avatar: PrivacyLevel = "everyone"
|
||||
privacy_group_invites: GroupInvitePrivacyLevel = "everyone"
|
||||
@@ -40,6 +42,7 @@ class UserProfileUpdate(BaseModel):
|
||||
bio: str | None = Field(default=None, max_length=500)
|
||||
avatar_url: str | None = Field(default=None, max_length=512)
|
||||
allow_private_messages: bool | None = None
|
||||
privacy_private_messages: PrivateMessagesPrivacyLevel | None = None
|
||||
privacy_last_seen: PrivacyLevel | None = None
|
||||
privacy_avatar: PrivacyLevel | None = None
|
||||
privacy_group_invites: GroupInvitePrivacyLevel | None = None
|
||||
|
||||
@@ -42,6 +42,7 @@ async def update_user_profile(
|
||||
bio: str | None = None,
|
||||
avatar_url: str | None = None,
|
||||
allow_private_messages: bool | None = None,
|
||||
privacy_private_messages: str | None = None,
|
||||
privacy_last_seen: str | None = None,
|
||||
privacy_avatar: str | None = None,
|
||||
privacy_group_invites: str | None = None,
|
||||
@@ -56,6 +57,11 @@ async def update_user_profile(
|
||||
user.avatar_url = avatar_url
|
||||
if allow_private_messages is not None:
|
||||
user.allow_private_messages = allow_private_messages
|
||||
if privacy_private_messages is None:
|
||||
user.privacy_private_messages = "everyone" if allow_private_messages else "nobody"
|
||||
if privacy_private_messages is not None:
|
||||
user.privacy_private_messages = privacy_private_messages
|
||||
user.allow_private_messages = privacy_private_messages != "nobody"
|
||||
if privacy_last_seen is not None:
|
||||
user.privacy_last_seen = privacy_last_seen
|
||||
if privacy_avatar is not None:
|
||||
@@ -127,12 +133,25 @@ async def can_invite_user_to_groups(db: AsyncSession, *, target_user: User, acto
|
||||
return await repository.is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=actor_user_id)
|
||||
|
||||
|
||||
async def can_user_receive_private_messages(db: AsyncSession, *, target_user: User, actor_user_id: int) -> bool:
|
||||
if target_user.id == actor_user_id:
|
||||
return True
|
||||
policy = target_user.privacy_private_messages or ("everyone" if target_user.allow_private_messages else "nobody")
|
||||
if policy == "everyone":
|
||||
return True
|
||||
if policy == "nobody":
|
||||
return False
|
||||
return await repository.is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=actor_user_id)
|
||||
|
||||
|
||||
async def serialize_user_for_viewer(db: AsyncSession, *, target_user: User, viewer_user_id: int) -> UserRead:
|
||||
payload = UserRead.model_validate(target_user).model_dump()
|
||||
payload["allow_private_messages"] = bool(target_user.privacy_private_messages != "nobody")
|
||||
if not await can_view_user_avatar(db, target_user=target_user, viewer_user_id=viewer_user_id):
|
||||
payload["avatar_url"] = None
|
||||
if target_user.id != viewer_user_id:
|
||||
payload["allow_private_messages"] = True
|
||||
payload["privacy_private_messages"] = "everyone"
|
||||
payload["privacy_last_seen"] = "everyone"
|
||||
payload["privacy_avatar"] = "everyone"
|
||||
payload["privacy_group_invites"] = "everyone"
|
||||
|
||||
Reference in New Issue
Block a user