feat(privacy): enforce avatar/presence visibility and invite restrictions

2026-03-08 13:32:20 +03:00
parent eb0852e64d
commit c214cc8fd8
5 changed files with 113 additions and 8 deletions
--- a/app/users/router.py
+++ b/app/users/router.py
@@ -16,6 +16,8 @@ from app.users.service import (
    has_block_relation_between_users,
    remove_contact,
    search_users_by_username,
+    serialize_user_for_viewer,
+    serialize_user_search_for_viewer,
    unblock_user,
    update_user_profile,
 )
@@ -43,7 +45,7 @@ async def search_users(
        limit=limit,
        exclude_user_id=current_user.id,
    )
-    return users
+    return [await serialize_user_search_for_viewer(db, target_user=user, viewer_user_id=current_user.id) for user in users]


@router.put("/profile", response_model=UserRead)
@@ -69,7 +71,7 @@ async def update_profile(
        privacy_avatar=payload.privacy_avatar,
        privacy_group_invites=payload.privacy_group_invites,
    )
-    return updated
+    return await serialize_user_for_viewer(db, target_user=updated, viewer_user_id=current_user.id)


@router.get("/blocked", response_model=list[UserSearchRead])
@@ -77,7 +79,8 @@ async def read_blocked_users(
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
 ) -> list[UserSearchRead]:
-    return await list_blocked_users(db, user_id=current_user.id)
+    users = await list_blocked_users(db, user_id=current_user.id)
+    return [await serialize_user_search_for_viewer(db, target_user=user, viewer_user_id=current_user.id) for user in users]


@router.get("/contacts", response_model=list[UserSearchRead])
@@ -85,7 +88,8 @@ async def read_contacts(
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
 ) -> list[UserSearchRead]:
-    return await list_contacts(db, user_id=current_user.id)
+    users = await list_contacts(db, user_id=current_user.id)
+    return [await serialize_user_search_for_viewer(db, target_user=user, viewer_user_id=current_user.id) for user in users]


@router.post("/{user_id}/contacts", status_code=status.HTTP_204_NO_CONTENT)
@@ -163,4 +167,4 @@ async def read_user(user_id: int, db: AsyncSession = Depends(get_db), _current_u
    user = await get_user_by_id(db, user_id)
    if not user:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
-    return user
+    return await serialize_user_for_viewer(db, target_user=user, viewer_user_id=_current_user.id)