Hide user profiles

HameezExE

Hi!

I'm looking for a way to restrict access to user profiles in my Flarum forum, ensuring that only Admins and Mods can view other users profiles. I tried using the Hide Profile extension (https://flarum.org/extension/serakoi/flarum-hideprofile), but unfortunately, it didn't work. Ideally, I want to achieve the following:

Members should be able to view their own profiles.
Members should not be able to view other users' profiles.
Only Admins and Mods should be able to view all users' profiles.

I was able to achieve this behaviour using JavaScript (and adding it to the footer) but the method I used did not work for internal links & only worked when the page was reloaded when navigating.

Does anyone have suggestions on how I could achieve this? Any advice would be greatly appreciated!

Thanks!

Anomalum

HameezExE Could you possibly share the footer Java that you tried?
I want to see if it can be modified to achieve what you're after.

HameezExE

Anomalum

Sure, I don't think this "good code" but this was the best we (me & ChatGPT) were able to come up with 🥲

<style>
  /* Initially hide the .App--user content */
  .hidden-content {
    display: none;
  }
</style>

<script>
  document.addEventListener('DOMContentLoaded', function () {
    // Hide the .App--user initially
    const userAppElement = document.querySelector('.App--user');
    if (userAppElement) {
      userAppElement.classList.add('hidden-content');
    }

    // Check if the URL contains "/u/" to determine if it's a profile page
    const path = window.location.pathname;
    const isProfilePage = path.includes('/u/');

    if (isProfilePage) {
      // Get the current user and the profile being viewed
      const currentUser = app.session.user;
      const profileUsername = path.split('/u/')[1].split('/')[0]; // Assumes URL format contains /u/:username

      // Check if the user is logged in
      if (currentUser) {
        const currentUsername = currentUser.username(); // Get the current user's username
        const currentUserGroups = currentUser.groups();

        // Check if the user is viewing their own profile or is in allowed groups
        const isAllowed = currentUsername === profileUsername || currentUserGroups.some(group => group.id() === '1' || group.id() === '4');

        if (isAllowed) {
          // Show the .App--user content if the user is authorized
          userAppElement.classList.remove('hidden-content');
        } else {
          // If not allowed, update the URL to the home page and refresh
          window.history.replaceState({}, document.title, '/');
          location.reload();
        }
      } else {
        // If not logged in, update the URL to the home page and refresh
        window.history.replaceState({}, document.title, '/');
        location.reload();
      }
    } else {
      // Not on a profile page, show the .App--user content
      if (userAppElement) {
        userAppElement.classList.remove('hidden-content');
      }
    }
  });
</script>

Here 1 & 4 are the group ids of Admins & Mods respectively.

hf06

HameezExE With some effort, it might be possible to achieve this using JS + CSS, but I wouldn't recommend it. Users can still view profile pages using the developer console.

Comments from a member are fetched on the profile page using an API like "GET /api/posts?filter%5Bauthor%5D=USERNAME&filter%5Btype%5D=comment&page%5Boffset%5D=0&page%5Blimit%5D=20&sort=-createdAt". Perhaps if you manage to restrict access to this API for users other than moderators and administrators, you could get closer to what you're looking for. Additionally, in cases where users cannot access the API on profile pages, you could potentially use a function to display a full-screen error message, completely hiding the profile from users who cannot access the API.

This is currently just a theory.

ChatGPT provided a plugin like this. You might want to try it.

Extension (ChatGPT)

Extensionı:

your-extension/
├── js/
│   └── app.js
├── composer.json
└── bootstrap.php

composer.json:

{
    "name": "your-username/your-extension",
    "type": "flarum-extension",
    "require": {
        "flarum/core": "^1.0"
    },
    "autoload": {
        "psr-4": {
            "Your\\Namespace\\": "src/"
        }
    },
    "extra": {
        "flarum-extension": {
            "title": "Your Extension",
            "icon": {
                "name": "fas fa-lock",
                "backgroundColor": "#007bff",
                "color": "#ffffff"
            }
        }
    }
}

bootstrap.php:

<?php

use Flarum\Extend;
use Flarum\Api\Serializer\PostSerializer;
use Flarum\User\User;

return [
    (new Extend\Middleware('api'))->add(
        new class {
            public function handle($request, $next)
            {
                // API
                if ($request->is('api/posts')) {
                    $username = $request->input('filter.author');

                    // User
                    if ($request->user() && ($request->user()->isAdmin() || $request->user()->isModerator() || $request->user()->username === $username)) {
                        return $next($request);
                    }

                    // Error
                    return response()->json([
                        'error' => [
                            'status' => 403,
                            'title' => 'Forbidden',
                            'detail' => 'You do not have permission to view this page.'
                        ]
                    ], 403);
                }

                return $next($request);
            }
        }
    ),
];

app.js:

import app from 'flarum/app';

app.initializers.add('your-username-your-extension', () => {
    // AJAX error show
    app.store.models.posts.prototype.apiUrl = function () {
        return '/api/posts?filter[author]=' + this.attributes.authorId + '&filter[type]=comment&page[offset]=0&page[limit]=20&sort=-createdAt';
    };

    app.request.get(app.store.models.posts.prototype.apiUrl()).catch((error) => {
        if (error.response && error.response.status === 500) {
            // Show error
            app.alerts.show({ type: 'error' }, 'You do not have permission to view this page.');
        }
    });
});

I'm sure this code won't work and there are tons of errors. I just wanted to create such a template as an example

HameezExE

@"Anomalum"#p234614 Thank you so much for trying! I wonder if there's something coming from flarum we can use to know whether a page is changed without it refreshing...