feat(privacy): enforce avatar/presence visibility and invite restrictions

app/chats/service.py

@@ -27,7 +27,25 @@ from app.messages.repository import (
     list_chat_message_ids,
 )
 from app.realtime.presence import get_users_online_map
-from app.users.repository import get_user_by_id, has_block_relation_between_users
+from app.users.repository import get_user_by_id, has_block_relation_between_users, is_user_in_contacts
+
+
+async def _can_view_last_seen(*, db: AsyncSession, target_user, viewer_user_id: int) -> bool:
+    if target_user.id == viewer_user_id:
+        return True
+    if target_user.privacy_last_seen == "everyone":
+        return True
+    if target_user.privacy_last_seen == "nobody":
+        return False
+    return await is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=viewer_user_id)
+
+
+async def _can_invite_to_group(*, db: AsyncSession, target_user, actor_user_id: int) -> bool:
+    if target_user.id == actor_user_id:
+        return False
+    if target_user.privacy_group_invites == "everyone":
+        return True
+    return await is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=actor_user_id)
 
 
 async def serialize_chat_for_user(
@@ -61,9 +79,12 @@ async def serialize_chat_for_user(
                 display_title = counterpart.name or counterpart.username
                 counterpart_name = counterpart.name
                 counterpart_username = counterpart.username
-                counterpart_last_seen_at = counterpart.last_seen_at
+                presence_allowed = await _can_view_last_seen(db=db, target_user=counterpart, viewer_user_id=user_id)
+                counterpart_last_seen_at = counterpart.last_seen_at if presence_allowed else None
             presence = await get_users_online_map([counterpart_id])
-            counterpart_is_online = presence.get(counterpart_id, False)
+            if counterpart:
+                presence_allowed = await _can_view_last_seen(db=db, target_user=counterpart, viewer_user_id=user_id)
+                counterpart_is_online = presence.get(counterpart_id, False) if presence_allowed else None
     else:
         member_ids = await repository.list_chat_member_user_ids(db, chat_id=chat.id)
         members_count = len(member_ids)
@@ -175,6 +196,13 @@ async def create_chat_for_user(db: AsyncSession, *, creator_id: int, payload: Ch
         user = await get_user_by_id(db, member_id)
         if not user:
             raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"User {member_id} not found")
+        if payload.type in {ChatType.GROUP, ChatType.CHANNEL}:
+            can_invite = await _can_invite_to_group(db=db, target_user=user, actor_user_id=creator_id)
+            if not can_invite:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail=f"User {member_id} does not allow group invites from you",
+                )
 
     chat = await repository.create_chat_with_meta(
         db,
@@ -287,6 +315,8 @@ async def add_chat_member_for_user(
     target_user = await get_user_by_id(db, target_user_id)
     if not target_user:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    if not await _can_invite_to_group(db=db, target_user=target_user, actor_user_id=actor_user_id):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="User does not allow group invites from you")
     existing = await repository.get_chat_member(db, chat_id=chat_id, user_id=target_user_id)
     if existing:
         return existing

app/users/repository.py

@@ -140,6 +140,16 @@ async def get_contact_relation(db: AsyncSession, *, user_id: int, contact_user_i
     return result.scalar_one_or_none()
 
 
+async def is_user_in_contacts(db: AsyncSession, *, owner_user_id: int, candidate_user_id: int) -> bool:
+    result = await db.execute(
+        select(UserContact.id).where(
+            UserContact.user_id == owner_user_id,
+            UserContact.contact_user_id == candidate_user_id,
+        ).limit(1)
+    )
+    return result.scalar_one_or_none() is not None
+
+
 async def list_contacts(db: AsyncSession, *, user_id: int) -> list[User]:
     stmt = (
         select(User)

app/users/router.py

@@ -16,6 +16,8 @@ from app.users.service import (
     has_block_relation_between_users,
     remove_contact,
     search_users_by_username,
+    serialize_user_for_viewer,
+    serialize_user_search_for_viewer,
     unblock_user,
     update_user_profile,
 )
@@ -43,7 +45,7 @@ async def search_users(
         limit=limit,
         exclude_user_id=current_user.id,
     )
-    return users
+    return [await serialize_user_search_for_viewer(db, target_user=user, viewer_user_id=current_user.id) for user in users]
 
 
 @router.put("/profile", response_model=UserRead)
@@ -69,7 +71,7 @@ async def update_profile(
         privacy_avatar=payload.privacy_avatar,
         privacy_group_invites=payload.privacy_group_invites,
     )
-    return updated
+    return await serialize_user_for_viewer(db, target_user=updated, viewer_user_id=current_user.id)
 
 
 @router.get("/blocked", response_model=list[UserSearchRead])
@@ -77,7 +79,8 @@ async def read_blocked_users(
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ) -> list[UserSearchRead]:
-    return await list_blocked_users(db, user_id=current_user.id)
+    users = await list_blocked_users(db, user_id=current_user.id)
+    return [await serialize_user_search_for_viewer(db, target_user=user, viewer_user_id=current_user.id) for user in users]
 
 
 @router.get("/contacts", response_model=list[UserSearchRead])
@@ -85,7 +88,8 @@ async def read_contacts(
     db: AsyncSession = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ) -> list[UserSearchRead]:
-    return await list_contacts(db, user_id=current_user.id)
+    users = await list_contacts(db, user_id=current_user.id)
+    return [await serialize_user_search_for_viewer(db, target_user=user, viewer_user_id=current_user.id) for user in users]
 
 
 @router.post("/{user_id}/contacts", status_code=status.HTTP_204_NO_CONTENT)
@@ -163,4 +167,4 @@ async def read_user(user_id: int, db: AsyncSession = Depends(get_db), _current_u
     user = await get_user_by_id(db, user_id)
     if not user:
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
-    return user
+    return await serialize_user_for_viewer(db, target_user=user, viewer_user_id=_current_user.id)

app/users/service.py

@@ -2,6 +2,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.users import repository
 from app.users.models import User
+from app.users.schemas import UserRead, UserSearchRead
 
 
 async def get_user_by_id(db: AsyncSession, user_id: int) -> User | None:
@@ -96,3 +97,51 @@ async def remove_contact(db: AsyncSession, *, user_id: int, contact_user_id: int
 
 async def list_contacts(db: AsyncSession, *, user_id: int) -> list[User]:
     return await repository.list_contacts(db, user_id=user_id)
+
+
+async def can_view_user_avatar(db: AsyncSession, *, target_user: User, viewer_user_id: int) -> bool:
+    if target_user.id == viewer_user_id:
+        return True
+    if target_user.privacy_avatar == "everyone":
+        return True
+    if target_user.privacy_avatar == "nobody":
+        return False
+    return await repository.is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=viewer_user_id)
+
+
+async def can_view_user_last_seen(db: AsyncSession, *, target_user: User, viewer_user_id: int) -> bool:
+    if target_user.id == viewer_user_id:
+        return True
+    if target_user.privacy_last_seen == "everyone":
+        return True
+    if target_user.privacy_last_seen == "nobody":
+        return False
+    return await repository.is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=viewer_user_id)
+
+
+async def can_invite_user_to_groups(db: AsyncSession, *, target_user: User, actor_user_id: int) -> bool:
+    if target_user.id == actor_user_id:
+        return False
+    if target_user.privacy_group_invites == "everyone":
+        return True
+    return await repository.is_user_in_contacts(db, owner_user_id=target_user.id, candidate_user_id=actor_user_id)
+
+
+async def serialize_user_for_viewer(db: AsyncSession, *, target_user: User, viewer_user_id: int) -> UserRead:
+    payload = UserRead.model_validate(target_user).model_dump()
+    if not await can_view_user_avatar(db, target_user=target_user, viewer_user_id=viewer_user_id):
+        payload["avatar_url"] = None
+    if target_user.id != viewer_user_id:
+        payload["allow_private_messages"] = True
+        payload["privacy_last_seen"] = "everyone"
+        payload["privacy_avatar"] = "everyone"
+        payload["privacy_group_invites"] = "everyone"
+        payload["twofa_enabled"] = False
+    return UserRead.model_validate(payload)
+
+
+async def serialize_user_search_for_viewer(db: AsyncSession, *, target_user: User, viewer_user_id: int) -> UserSearchRead:
+    payload = UserSearchRead.model_validate(target_user).model_dump()
+    if not await can_view_user_avatar(db, target_user=target_user, viewer_user_id=viewer_user_id):
+        payload["avatar_url"] = None
+    return UserSearchRead.model_validate(payload)

docs/api-reference.md

@@ -755,6 +755,18 @@ Response: `200` + `ChatNotificationSettingsRead`
 
 Note: mentions (`@username`) are delivered even when chat is muted.
 
+## 3.7 Privacy enforcement notes
+
+- User profile privacy is enforced server-side:
+  - `privacy_avatar` controls whether other users receive `avatar_url`.
+  - `privacy_last_seen` controls whether private-chat counterpart presence fields are visible:
+    - `counterpart_is_online`
+    - `counterpart_last_seen_at`
+- For `contacts` mode, visibility is granted only when the viewer is in target user's contacts.
+- Group/channel invite restrictions are enforced by `privacy_group_invites`:
+  - Users with `contacts` can be added only by users present in their contacts list.
+  - Applies to group/channel creation with initial members and admin add-member action.
+
 ### POST `/api/v1/chats/{chat_id}/archive`
 
 Auth required.