Merge pull request #10725 from growilabs/feat/174756-block-user-pages

feat: Block other user's user pages

apps/app/src/pages/[[...path]]/page-data-props.ts

@@ -10,6 +10,8 @@ import { isIPageInfo, isIPageNotFoundInfo } from '@growi/core';
 import {
   isPermalink as _isPermalink,
   isTopPage,
+  isUserPage,
+  isUsersTopPage,
 } from '@growi/core/dist/utils/page-path-utils';
 import { removeHeadingSlash } from '@growi/core/dist/utils/path-utils';
 import assert from 'assert';
@@ -162,6 +164,33 @@ export async function getPageDataForInitial(
     { pageId, path: resolvedPagePath, user },
   );
 
+  const isHidingUserPages = configManager.getConfig(
+    'security:isHidingUserPages',
+  );
+
+  if (isHidingUserPages && pageWithMeta.data != null) {
+    const pagePath = pageWithMeta.data.path;
+    const isTargetUserPage = isUserPage(pagePath) || isUsersTopPage(pagePath);
+
+    if (isTargetUserPage) {
+      return {
+        props: {
+          currentPathname: resolvedPagePath,
+          isIdenticalPathPage: false,
+          pageWithMeta: {
+            data: null,
+            meta: {
+              isNotFound: true,
+              isForbidden: true,
+            },
+          } satisfies IDataWithRequiredMeta<null, IPageNotFoundInfo>,
+          skipSSR: false,
+          redirectFrom,
+        },
+      };
+    }
+  }
+
   // Handle URL conversion
   const currentPathname = resolveFinalizedPathname(
     resolvedPagePath,

apps/app/src/server/routes/apiv3/page/index.ts

@@ -17,7 +17,11 @@ import {
   SubscriptionStatusType,
 } from '@growi/core';
 import { ErrorV3 } from '@growi/core/dist/models';
-import { convertToNewAffiliationPath } from '@growi/core/dist/utils/page-path-utils';
+import {
+  convertToNewAffiliationPath,
+  isUserPage,
+  isUsersTopPage,
+} from '@growi/core/dist/utils/page-path-utils';
 import { normalizePath } from '@growi/core/dist/utils/path-utils';
 import type { HydratedDocument } from 'mongoose';
 import mongoose from 'mongoose';
@@ -193,6 +197,10 @@ module.exports = (crowi: Crowi) => {
       const { pageId, path, findAll, revisionId, shareLinkId, includeEmpty } =
         req.query;
 
+      const isHidingUserPages = crowi.configManager.getConfig(
+        'security:isHidingUserPages',
+      );
+
       const respondWithSinglePage = async (
         pageWithMeta:
           | IDataWithMeta<HydratedDocument<PageDocument>, IPageInfoExt>
@@ -219,6 +227,18 @@ module.exports = (crowi: Crowi) => {
           );
         }
 
+        if (isHidingUserPages && page != null) {
+          const isTargetUserPage =
+            isUserPage(page.path) || isUsersTopPage(page.path);
+
+          if (isTargetUserPage) {
+            return res.apiv3Err(
+              new ErrorV3('Page is forbidden', 'page-is-forbidden'),
+              403,
+            );
+          }
+        }
+
         if (page != null) {
           try {
             page.initLatestRevisionField(revisionId);

apps/app/src/server/service/page-listing/page-listing.ts

@@ -60,7 +60,6 @@ class PageListingService implements IPageListingService {
     user?: IUser,
     showPagesRestrictedByOwner = false,
     showPagesRestrictedByGroup = false,
-    hideUserPages = false,
   ): Promise<IPageForTreeItem[]> {
     const Page = mongoose.model<HydratedDocument<PageDocument>, PageModel>(
       'Page',