From 40edd0891d0003c5441dfd2c067eeb5632fbc2ed Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Tue, 26 Sep 2023 09:45:05 +0200
Subject: [PATCH] Fix filtering the modification log from invisible
 participants

There is a previous commit relating to this issue in
28484add293eac5d0299d991ffaaa9f478c418e1, but it either never worked or no
longer works. Possibly this got broken when the conversations were refactored
to allow for removal of participants, while still allowing them to see the
contents up to their removal.

The ConversationParticipantList implicitly filters out invisible participants
internally, thus they don't will never be added to the invisibleParticipantIDs.

Fix this issue by inverting the logic: Instead of filtering out all invisible
participants, the query will now only include visible participants that are
guaranteed to be visible.

This fix will affect existing conversations.

see https://www.woltlab.com/community/thread/301779-konversation-mit-bcc-leakt-teilnehmer/
---
 files/lib/page/ConversationPage.class.php | 25 +++++++++--------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/files/lib/page/ConversationPage.class.php b/files/lib/page/ConversationPage.class.php
index c30e3df..b7b2ec1 100644
--- a/files/lib/page/ConversationPage.class.php
+++ b/files/lib/page/ConversationPage.class.php
@@ -294,14 +294,12 @@ class ConversationPage extends MultipleLinkPage
         }
         $this->objectList->rewind();
 
-        // get invisible participants
-        $invisibleParticipantIDs = [];
-        if (WCF::getUser()->userID != $this->conversation->userID) {
-            foreach ($this->participantList as $participant) {
-                /** @noinspection PhpUndefinedFieldInspection */
-                if ($participant->isInvisible) {
-                    $invisibleParticipantIDs[] = $participant->userID;
-                }
+        // get visible participants
+        $visibleParticipantIDs = [];
+        foreach ($this->participantList as $participant) {
+            /** @noinspection PhpUndefinedFieldInspection */
+            if (!$participant->isInvisible || WCF::getUser()->userID == $this->conversation->userID) {
+                $visibleParticipantIDs[] = $participant->userID;
             }
         }
 
@@ -309,13 +307,10 @@ class ConversationPage extends MultipleLinkPage
         $this->modificationLogList = new ConversationLogModificationLogList($this->conversation->conversationID);
         $this->modificationLogList->getConditionBuilder()
             ->add("modification_log.time BETWEEN ? AND ?", [$startTime, $endTime]);
-
-        if (!empty($invisibleParticipantIDs)) {
-            $this->modificationLogList->getConditionBuilder()->add(
-                "(modification_log.action <> ? OR modification_log.userID NOT IN (?))",
-                ['leave', $invisibleParticipantIDs]
-            );
-        }
+        $this->modificationLogList->getConditionBuilder()->add(
+            "modification_log.userID IN (?)",
+            [$visibleParticipantIDs]
+        );
 
         $this->modificationLogList->readObjects();
     }
-- 
2.20.1