Fix filtering the modification log from invisible participants

There is a previous commit relating to this issue in
28484add293eac5d0299d991ffaaa9f478c418e1, but it either never worked or no
longer works. Possibly this got broken when the conversations were refactored
to allow for removal of participants, while still allowing them to see the
contents up to their removal.

The ConversationParticipantList implicitly filters out invisible participants
internally, thus they don't will never be added to the invisibleParticipantIDs.

Fix this issue by inverting the logic: Instead of filtering out all invisible
participants, the query will now only include visible participants that are
guaranteed to be visible.

This fix will affect existing conversations.

see https://www.woltlab.com/community/thread/301779-konversation-mit-bcc-leakt-teilnehmer/

diff --git a/files/lib/page/ConversationPage.class.php b/files/lib/page/ConversationPage.class.php
index c30e3dfc1afa527e8ca89fff023325558b08b2fe..b7b2ec11a53dbafb3c00721eb67ffc505a03eed2 100644 (file)
--- a/files/lib/page/ConversationPage.class.php
+++ b/files/lib/page/ConversationPage.class.php
@@ -294,14 +294,12 @@ class ConversationPage extends MultipleLinkPage
         }
         $this->objectList->rewind();
 
-        // get invisible participants
-        $invisibleParticipantIDs = [];
-        if (WCF::getUser()->userID != $this->conversation->userID) {
-            foreach ($this->participantList as $participant) {
-                /** @noinspection PhpUndefinedFieldInspection */
-                if ($participant->isInvisible) {
-                    $invisibleParticipantIDs[] = $participant->userID;
-                }
+        // get visible participants
+        $visibleParticipantIDs = [];
+        foreach ($this->participantList as $participant) {
+            /** @noinspection PhpUndefinedFieldInspection */
+            if (!$participant->isInvisible || WCF::getUser()->userID == $this->conversation->userID) {
+                $visibleParticipantIDs[] = $participant->userID;
             }
         }
 
@@ -309,13 +307,10 @@ class ConversationPage extends MultipleLinkPage
         $this->modificationLogList = new ConversationLogModificationLogList($this->conversation->conversationID);
         $this->modificationLogList->getConditionBuilder()
             ->add("modification_log.time BETWEEN ? AND ?", [$startTime, $endTime]);
-
-        if (!empty($invisibleParticipantIDs)) {
-            $this->modificationLogList->getConditionBuilder()->add(
-                "(modification_log.action <> ? OR modification_log.userID NOT IN (?))",
-                ['leave', $invisibleParticipantIDs]
-            );
-        }
+        $this->modificationLogList->getConditionBuilder()->add(
+            "modification_log.userID IN (?)",
+            [$visibleParticipantIDs]
+        );
 
         $this->modificationLogList->readObjects();
     }