From 654bb16b2e768ce3f215a326fd6b22694af27d8c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Fri, 1 Aug 2014 19:14:34 +0200
Subject: [PATCH] Fix permissions for email address visibility

Now email addresses of users will only be shown if the owner
either consents, or if the user is able to edit email addresses
of other users.
---
 com.woltlab.wcf/templates/user.tpl                 |  2 +-
 .../files/lib/acp/page/UserListPage.class.php      | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/com.woltlab.wcf/templates/user.tpl b/com.woltlab.wcf/templates/user.tpl
index de4ef79400..ad5ffae20e 100644
--- a/com.woltlab.wcf/templates/user.tpl
+++ b/com.woltlab.wcf/templates/user.tpl
@@ -197,7 +197,7 @@
 			{/if}
 			
 			{if $user->userID != $__wcf->user->userID}
-				{if $user->isAccessible('canViewEmailAddress') || $__wcf->session->getPermission('admin.general.canViewPrivateUserOptions')}
+				{if $user->isAccessible('canViewEmailAddress') || $__wcf->session->getPermission('admin.user.canEditMailAddress')}
 					<li><a class="button jsTooltip" href="mailto:{@$user->getEncodedEmail()}" title="{lang}wcf.user.button.mail{/lang}"><span class="icon icon16 icon-envelope-alt"></span> <span class="invisible">{lang}wcf.user.button.mail{/lang}</span></a></li>
 				{elseif $user->isAccessible('canMail') && $__wcf->session->getPermission('user.profile.canMail')}
 					<li><a class="button jsTooltip" href="{link controller='Mail' object=$user}{/link}" title="{lang}wcf.user.button.mail{/lang}"><span class="icon icon16 icon-envelope-alt"></span> <span class="invisible">{lang}wcf.user.button.mail{/lang}</span></a></li>
diff --git a/wcfsetup/install/files/lib/acp/page/UserListPage.class.php b/wcfsetup/install/files/lib/acp/page/UserListPage.class.php
index e5b8da372d..f00584bed8 100755
--- a/wcfsetup/install/files/lib/acp/page/UserListPage.class.php
+++ b/wcfsetup/install/files/lib/acp/page/UserListPage.class.php
@@ -36,7 +36,7 @@ class UserListPage extends SortablePage {
 	 * list of selected columns
 	 * @var	array<string>
 	 */
-	public $columns = array('email', 'registrationDate', 'lastActivityTime');
+	public $columns = array('registrationDate', 'lastActivityTime');
 	
 	/**
 	 * applies special CSS classes for selected columns
@@ -116,7 +116,7 @@ class UserListPage extends SortablePage {
 	/**
 	 * @see	\wcf\page\SortablePage::$validSortFields
 	 */
-	public $validSortFields = array('email', 'userID', 'registrationDate', 'username', 'lastActivityTime', 'profileHits', 'activityPoints', 'likesReceived');
+	public $validSortFields = array('userID', 'registrationDate', 'username', 'lastActivityTime', 'profileHits', 'activityPoints', 'likesReceived');
 	
 	/**
 	 * @see	\wcf\page\IPage::readParameters()
@@ -146,6 +146,11 @@ class UserListPage extends SortablePage {
 		// add options to valid sort fields
 		$this->validSortFields = array_merge($this->validSortFields, array_keys($this->options));
 		
+		// avoid leaking mail adresses by sorting
+		if (WCF::getSession()->getPermission('admin.user.canEditMailAddress')) {
+			$this->validSortFields[] = 'email';
+		}
+		
 		parent::validateSortField();
 	}
 	
@@ -155,6 +160,11 @@ class UserListPage extends SortablePage {
 	public function readData() {
 		parent::readData();
 		
+		// add email column for authorized users
+		if (WCF::getSession()->getPermission('admin.user.canEditMailAddress')) {
+			array_unshift($this->columns, 'email');
+		}
+		
 		// get marked users
 		$this->markedUsers = WCF::getSession()->getVar('markedUsers');
 		if ($this->markedUsers == null || !is_array($this->markedUsers)) $this->markedUsers = array();
-- 
2.20.1