1 files changed, 39 insertions, 0 deletions

diff --git a/modules/gallery/controllers/user_profile.php b/modules/gallery/controllers/user_profile.php
index e992655b..4922416c 100644
--- a/modules/gallery/controllers/user_profile.php
+++ b/modules/gallery/controllers/user_profile.php
@@ -18,6 +18,7 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class User_Profile_Controller extends Controller {
+
   public function show($id) {
     // If we get here, then we should have a user id other than guest.
     $user = identity::lookup_user($id);
@@ -25,6 +26,10 @@ class User_Profile_Controller extends Controller {
       throw new Kohana_404_Exception();
     }
 
+    if (!$this->_can_view_profile_pages($user)) {
+      throw new Kohana_404_Exception();
+    }
+
     $v = new Theme_View("page.html", "other", "profile");
     $v->page_title = t("%name Profile", array("name" => $user->display_name()));
     $v->content = new View("user_profile.html");
@@ -44,12 +49,20 @@ class User_Profile_Controller extends Controller {
 
   public function contact($id) {
     $user = identity::lookup_user($id);
+    if (!$this->_can_view_profile_pages($user)) {
+      throw new Kohana_404_Exception();
+    }
+
     print user_profile::get_contact_form($user);
   }
 
   public function send($id) {
     access::verify_csrf();
     $user = identity::lookup_user($id);
+    if (!$this->_can_view_profile_pages($user)) {
+      throw new Kohana_404_Exception();
+    }
+
     $form = user_profile::get_contact_form($user);
     if ($form->validate()) {
       Sendmail::factory()
@@ -66,4 +79,30 @@ class User_Profile_Controller extends Controller {
       json::reply(array("result" => "error", "html" => (string)$form));
     }
   }
+
+  private function _can_view_profile_pages($user) {
+    if (!$user->loaded()) {
+      return false;
+    }
+
+    if ($user->id == identity::active_user()->id) {
+      // You can always view your own profile
+      return true;
+    }
+
+    switch (module::get_var("gallery", "show_user_profiles_to")) {
+    case "admin_users":
+      return identity::active_user()->admin;
+
+    case "registered_users":
+      return !identity::active_user()->guest;
+
+    case "everybody":
+      return true;
+
+    default:
+      // Fail in private mode on an invalid setting
+      return false;
+    }
+  }
 }