From 95d4af02b3eb58002511825d7e526583ce995a50 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Joshua=20R=C3=BCsweg?= <josh@bastelstu.be>
Date: Tue, 31 Jul 2018 18:08:41 +0200
Subject: [PATCH] Add missign permission checks for reactions See #2508

---
 com.woltlab.wcf/templates/article.tpl         | 29 ++++++++++++-------
 com.woltlab.wcf/templates/commentList.tpl     |  5 +++-
 .../templates/commentResponseList.tpl         |  2 +-
 .../templates/reactionSummaryList.tpl         | 16 +++++-----
 .../js/WoltLabSuite/Core/Ui/Like/Handler.js   |  2 +-
 .../WoltLabSuite/Core/Ui/Reaction/Handler.js  |  3 +-
 .../data/reaction/ReactionAction.class.php    |  4 +++
 7 files changed, 39 insertions(+), 22 deletions(-)

diff --git a/com.woltlab.wcf/templates/article.tpl b/com.woltlab.wcf/templates/article.tpl
index 38c669098c..d1ab534bfd 100644
--- a/com.woltlab.wcf/templates/article.tpl
+++ b/com.woltlab.wcf/templates/article.tpl
@@ -151,18 +151,25 @@
 			</ul>
 		{/if}
 		
-		<div class="row articleLikeSection">
-			<div class="col-xs-12 col-md-6">
-				<div class="articleLikesSummery">
-					{include file="reactionSummaryList" reactionData=$articleLikeData objectType="com.woltlab.wcf.likeableArticle" objectID=$article->articleID}
-				</div>
-			</div>
-			<div class="col-xs-12 col-md-6">
-				<ul class="articleLikeButtons buttonGroup">
-					<li class="jsOnly"><span class="button reactButton{if $articleLikeData[$article->articleID]|isset && $articleLikeData[$article->articleID]->reactionTypeID} active{/if}" title="{lang}wcf.reactions.react{/lang}">{if $articleLikeData[$article->articleID]|isset && $articleLikeData[$article->articleID]->reactionTypeID}{@$__wcf->getReactionHandler()->getReactionTypeByID($articleLikeData[$article->articleID]->reactionTypeID)->renderIcon()}{else}<img src="{$__wcf->getPath()}/images/reaction/reactionIcon.svg" class="reactionType" alt="">{/if}</span></li>
-				</ul>
+		{if MODULE_LIKE && ARTICLE_ENABLE_LIKE && ($__wcf->session->getPermission('user.like.canLike') || $__wcf->session->getPermission('user.like.canViewLike'))}
+			<div class="row articleLikeSection">
+				{if $__wcf->session->getPermission('user.like.canViewLike')}
+					<div class="col-xs-12 col-md-6">
+						<div class="articleLikesSummery">
+							{include file="reactionSummaryList" reactionData=$articleLikeData objectType="com.woltlab.wcf.likeableArticle" objectID=$article->articleID}
+						</div>
+					</div>
+				{/if}
+				
+				{if MODULE_LIKE && $__wcf->session->getPermission('user.like.canLike') && (LIKE_ALLOW_FOR_OWN_CONTENT || $article->userID != $__wcf->user->userID)}
+					<div class="col-xs-12 col-md-6">
+						<ul class="articleLikeButtons buttonGroup">
+							<li class="jsOnly"><span class="button reactButton{if $articleLikeData[$article->articleID]|isset && $articleLikeData[$article->articleID]->reactionTypeID} active{/if}" title="{lang}wcf.reactions.react{/lang}">{if $articleLikeData[$article->articleID]|isset && $articleLikeData[$article->articleID]->reactionTypeID}{@$__wcf->getReactionHandler()->getReactionTypeByID($articleLikeData[$article->articleID]->reactionTypeID)->renderIcon()}{else}<img src="{$__wcf->getPath()}/images/reaction/reactionIcon.svg" class="reactionType" alt="">{/if}</span></li>
+						</ul>
+					</div>
+				{/if}
 			</div>
-		</div>
+		{/if}
 	</div>
 	
 	{event name='afterArticleContent'}
diff --git a/com.woltlab.wcf/templates/commentList.tpl b/com.woltlab.wcf/templates/commentList.tpl
index abfad31c99..20ab1684be 100644
--- a/com.woltlab.wcf/templates/commentList.tpl
+++ b/com.woltlab.wcf/templates/commentList.tpl
@@ -55,7 +55,10 @@
 									<li class="jsReportCommentComment jsOnly" data-object-id="{@$comment->commentID}"><a href="#" title="{lang}wcf.moderation.report.reportContent{/lang}" class="jsTooltip"><span class="icon icon16 fa-exclamation-triangle"></span> <span class="invisible">{lang}wcf.moderation.report.reportContent{/lang}</span></a></li>
 								{/if}
 								
-								{if MODULE_LIKE}<li class="jsOnly"><a href="#" class="reactButton jsTooltip" title="{lang}wcf.reactions.react{/lang}">{if $likeData[comment][$comment->commentID]|isset && $likeData[comment][$comment->commentID]->reactionTypeID}{@$__wcf->getReactionHandler()->getReactionTypeByID($likeData[comment][$comment->commentID]->reactionTypeID)->renderIcon()}{else}<img src="{$__wcf->getPath()}/images/reaction/reactionIcon.svg" class="reactionType">{/if} <span class="invisible">{lang}wcf.reactions.react{/lang}</span></a></li>{/if}
+								{if MODULE_LIKE && $__wcf->session->getPermission('user.like.canLike') && (LIKE_ALLOW_FOR_OWN_CONTENT || $comment->userID != $__wcf->user->userID)}
+									<li class="jsOnly"><a href="#" class="reactButton jsTooltip" title="{lang}wcf.reactions.react{/lang}">{if $likeData[comment][$comment->commentID]|isset && $likeData[comment][$comment->commentID]->reactionTypeID}{@$__wcf->getReactionHandler()->getReactionTypeByID($likeData[comment][$comment->commentID]->reactionTypeID)->renderIcon()}{else}<img src="{$__wcf->getPath()}/images/reaction/reactionIcon.svg" class="reactionType">{/if} <span class="invisible">{lang}wcf.reactions.react{/lang}</span></a></li>
+								{/if}
+								
 								{event name='commentOptions'}
 							</ul>
 						</nav>
diff --git a/com.woltlab.wcf/templates/commentResponseList.tpl b/com.woltlab.wcf/templates/commentResponseList.tpl
index 0204703c7b..714cab266e 100644
--- a/com.woltlab.wcf/templates/commentResponseList.tpl
+++ b/com.woltlab.wcf/templates/commentResponseList.tpl
@@ -48,7 +48,7 @@
 								<li class="jsReportCommentResponse jsOnly" data-object-id="{@$response->responseID}"><a href="#" title="{lang}wcf.moderation.report.reportContent{/lang}" class="jsTooltip"><span class="icon icon16 fa-exclamation-triangle"></span> <span class="invisible">{lang}wcf.moderation.report.reportContent{/lang}</span></a></li>
 							{/if}
 							
-							<li class="jsOnly"><a href="#" class="reactButton jsTooltip" title="{lang}wcf.reactions.react{/lang}">{if $likeData[response][$response->responseID]|isset && $likeData[response][$response->responseID]->reactionTypeID}{@$__wcf->getReactionHandler()->getReactionTypeByID($likeData[response][$response->responseID]->reactionTypeID)->renderIcon()}{else}<img src="{$__wcf->getPath()}/images/reaction/reactionIcon.svg" class="reactionType">{/if} <span class="invisible">{lang}wcf.reactions.react{/lang}</span></a></li>
+							{if MODULE_LIKE && $__wcf->session->getPermission('user.like.canLike') && (LIKE_ALLOW_FOR_OWN_CONTENT || $response->userID != $__wcf->user->userID)}<li class="jsOnly"><a href="#" class="reactButton jsTooltip" title="{lang}wcf.reactions.react{/lang}">{if $likeData[response][$response->responseID]|isset && $likeData[response][$response->responseID]->reactionTypeID}{@$__wcf->getReactionHandler()->getReactionTypeByID($likeData[response][$response->responseID]->reactionTypeID)->renderIcon()}{else}<img src="{$__wcf->getPath()}/images/reaction/reactionIcon.svg" class="reactionType">{/if} <span class="invisible">{lang}wcf.reactions.react{/lang}</span></a></li>{/if}
 							
 							{event name='commentOptions'}
 						</ul>
diff --git a/com.woltlab.wcf/templates/reactionSummaryList.tpl b/com.woltlab.wcf/templates/reactionSummaryList.tpl
index dcefe25b72..f9108f15f9 100644
--- a/com.woltlab.wcf/templates/reactionSummaryList.tpl
+++ b/com.woltlab.wcf/templates/reactionSummaryList.tpl
@@ -1,7 +1,9 @@
-<ul class="reactionSummaryList{if $isTiny|isset && $isTiny} reactionSummaryListTiny{/if} jsOnly" data-object-type="{$objectType}" data-object-id="{$objectID}">
-	{if $reactionData[$objectID]|isset && $reactionData[$objectID]->getReactions()|is_array}
-		{foreach from=$reactionData[$objectID]->getReactions() key=reactionTypeID item=reaction}
-			<li class="reactCountButton jsTooltip" data-reaction-type-id="{$reactionTypeID}" title="{lang}wcf.reactions.summary.listReactions{/lang}">{@$reaction[renderedReactionIcon]} <span class="reactionCount">{$reaction[reactionCount]|shortUnit}</span></li>
-		{/foreach}
-	{/if}
-</ul>
\ No newline at end of file
+{if $__wcf->session->getPermission('user.like.canViewLike')}
+	<ul class="reactionSummaryList{if $isTiny|isset && $isTiny} reactionSummaryListTiny{/if} jsOnly" data-object-type="{$objectType}" data-object-id="{$objectID}">
+		{if $reactionData[$objectID]|isset && $reactionData[$objectID]->getReactions()|is_array}
+			{foreach from=$reactionData[$objectID]->getReactions() key=reactionTypeID item=reaction}
+				<li class="reactCountButton jsTooltip" data-reaction-type-id="{$reactionTypeID}" title="{lang}wcf.reactions.summary.listReactions{/lang}">{@$reaction[renderedReactionIcon]} <span class="reactionCount">{$reaction[reactionCount]|shortUnit}</span></li>
+			{/foreach}
+		{/if}
+	</ul>
+{/if}
\ No newline at end of file
diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Like/Handler.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Like/Handler.js
index 951b729e0b..b5fa93554f 100644
--- a/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Like/Handler.js
+++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Like/Handler.js
@@ -129,7 +129,7 @@ define(
 				isSummaryPosition = false;
 			}
 			
-			if (badgeContainer !== null) {
+			if (badgeContainer !== null && this._options.canViewSummary) {
 				summaryList = elCreate('ul');
 				summaryList.className = 'reactionSummaryList' + (isSummaryPosition ? ' likesSummary' : ' reactionSummaryListTiny') + ((isSummaryPosition && this._options.badgeClassNames) ? ' ' + this._options.badgeClassNames : '');
 				
diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Reaction/Handler.js b/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Reaction/Handler.js
index fcf8390a37..e04c6fbca7 100644
--- a/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Reaction/Handler.js
+++ b/wcfsetup/install/files/js/WoltLabSuite/Core/Ui/Reaction/Handler.js
@@ -109,7 +109,8 @@ define(
 				elementData.reactButton = elBySel(this._options.buttonSelector, element);
 				
 				if (elementData.reactButton === null || elementData.reactButton.length === 0) {
-					throw new Error("[WoltLabSuite/Core/Ui/Reaction/Handler] Unable to find reactButton.");
+					// the element may have no react button 
+					return; 
 				}
 				
 				elementData.reactButton.addEventListener(WCF_CLICK_EVENT, this._toggleReactPopover.bind(this, elementData.objectId, elementData.reactButton));
diff --git a/wcfsetup/install/files/lib/data/reaction/ReactionAction.class.php b/wcfsetup/install/files/lib/data/reaction/ReactionAction.class.php
index 21e3ba9dd2..57b68115db 100644
--- a/wcfsetup/install/files/lib/data/reaction/ReactionAction.class.php
+++ b/wcfsetup/install/files/lib/data/reaction/ReactionAction.class.php
@@ -66,6 +66,10 @@ class ReactionAction extends AbstractDatabaseObjectAction {
 	public function validateGetReactionDetails() {
 		$this->validateObjectParameters();
 		
+		if (!WCF::getSession()->getPermission('user.like.canViewLike')) {
+			throw new PermissionDeniedException();
+		}
+		
 		$this->readInteger('reactionTypeID');
 		$this->readInteger('pageNo');
 		
-- 
2.20.1