Restrict who can use the lastSeenAt user sort. Fixes #2519

flarum · Feb 24, 2021 · ac6d743 · ac6d743
1 parent 1c578a8
commit ac6d743
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/Api/Controller/ListUsersController.php b/src/Api/Controller/ListUsersController.php
@@ -36,7 +36,6 @@ class ListUsersController extends AbstractListController
         'username',
         'commentCount',
         'discussionCount',
-        'lastSeenAt',
         'joinedAt'
     ];
 
@@ -69,6 +68,12 @@ protected function data(ServerRequestInterface $request, Document $document)
 
         $actor->assertCan('viewUserList');
 
+        if ($actor->can('viewLastSeenAt')) {
+            // At the moment, only people able to see everyone's last online date can sort by it. Ref #2519
+            // Otherwise this sort field would defeat the privacy setting discloseOnline
+            $this->addSortField('lastSeenAt');
+        }
+
         $query = Arr::get($this->extractFilter($request), 'q');
         $sort = $this->extractSort($request);