Block other user pages

apps/app/src/pages/[[...path]]/page-data-props.ts

@@ -162,6 +162,36 @@ export async function getPageDataForInitial(
     { pageId, path: resolvedPagePath, user },
   );
 
+  const isHidingUserPages = configManager.getConfig(
+    'security:isHidingUserPages',
+  );
+
+  if (isHidingUserPages && pageWithMeta.data != null) {
+    const pagePath = pageWithMeta.data.path;
+
+    if (pagePath.startsWith('/user')) {
+      const isOwnPage = user != null && pagePath === `/user/${user.username}`;
+
+      if (!isOwnPage) {
+        return {
+          props: {
+            currentPathname: resolvedPagePath,
+            isIdenticalPathPage: false,
+            pageWithMeta: {
+              data: null,
+              meta: {
+                isNotFound: true,
+                isForbidden: true,
+              },
+            } satisfies IDataWithRequiredMeta<null, IPageNotFoundInfo>,
+            skipSSR: false,
+            redirectFrom,
+          },
+        };
+      }
+    }
+  }
+
   // Handle URL conversion
   const currentPathname = resolveFinalizedPathname(
     resolvedPagePath,

apps/app/src/server/routes/apiv3/page/index.ts

@@ -193,6 +193,10 @@ module.exports = (crowi: Crowi) => {
       const { pageId, path, findAll, revisionId, shareLinkId, includeEmpty } =
         req.query;
 
+      const isHidingUserPages = crowi.configManager.getConfig(
+        'security:isHidingUserPages',
+      );
+
       const respondWithSinglePage = async (
         pageWithMeta:
           | IDataWithMeta<HydratedDocument<PageDocument>, IPageInfoExt>
@@ -219,6 +223,20 @@ module.exports = (crowi: Crowi) => {
           );
         }
 
+        if (isHidingUserPages && page != null) {
+          const pagePath = page.path;
+          if (pagePath.startsWith('/user')) {
+            const isOwnPage =
+              user != null && pagePath === `/user/${user.username}`;
+            if (!isOwnPage) {
+              return res.apiv3Err(
+                new ErrorV3('Page is forbidden', 'page-is-forbidden'),
+                403,
+              );
+            }
+          }
+        }
+
         if (page != null) {
           try {
             page.initLatestRevisionField(revisionId);

apps/app/src/server/service/page-listing/page-listing.ts

@@ -60,7 +60,6 @@ class PageListingService implements IPageListingService {
     user?: IUser,
     showPagesRestrictedByOwner = false,
     showPagesRestrictedByGroup = false,
-    hideUserPages = false,
   ): Promise<IPageForTreeItem[]> {
     const Page = mongoose.model<HydratedDocument<PageDocument>, PageModel>(
       'Page',