From 9d57227141f2407453f01aa0102339834bc3275b Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Thu, 6 Jun 2013 17:46:54 +0200
Subject: [PATCH] Added missing permission check

---
 ...CommentResponseUserActivityEvent.class.php | 69 ++++++++++---------
 .../ProfileCommentUserActivityEvent.class.php | 43 ++++++------
 2 files changed, 59 insertions(+), 53 deletions(-)

diff --git a/wcfsetup/install/files/lib/system/user/activity/event/ProfileCommentResponseUserActivityEvent.class.php b/wcfsetup/install/files/lib/system/user/activity/event/ProfileCommentResponseUserActivityEvent.class.php
index f9efe4805b..81cf038969 100644
--- a/wcfsetup/install/files/lib/system/user/activity/event/ProfileCommentResponseUserActivityEvent.class.php
+++ b/wcfsetup/install/files/lib/system/user/activity/event/ProfileCommentResponseUserActivityEvent.class.php
@@ -22,40 +22,43 @@ class ProfileCommentResponseUserActivityEvent extends SingletonFactory implement
 	 * @see	wcf\system\user\activity\event\IUserActivityEvent::prepare()
 	 */
 	public function prepare(array $events) {
-		$responseIDs = array();
-		foreach ($events as $event) {
-			$responseIDs[] = $event->objectID;
-		}
-		
-		// fetch responses
-		$responseList = new CommentResponseList();
-		$responseList->getConditionBuilder()->add("comment_response.responseID IN (?)", array($responseIDs));
-		$responseList->readObjects();
-		$responses = $responseList->getObjects();
-		
-		// fetch comments
-		$commentIDs = $comments = array();
-		foreach ($responses as $response) {
-			$commentIDs[] = $response->commentID;
-		}
-		if (!empty($commentIDs)) {
-			$commentList = new CommentList();
-			$commentList->getConditionBuilder()->add("comment.commentID IN (?)", array($commentIDs));
-			$commentList->readObjects();
-			$comments = $commentList->getObjects();
-		}
+		$responses = $responseIDs = array();
 		
-		// fetch users
-		$userIDs = $users = array();
-		foreach ($comments as $comment) {
-			$userIDs[] = $comment->objectID;
-			$userIDs[] = $comment->userID;
-		}
-		if (!empty($userIDs)) {
-			$userList = new UserProfileList();
-			$userList->getConditionBuilder()->add("user_table.userID IN (?)", array($userIDs));
-			$userList->readObjects();
-			$users = $userList->getObjects();
+		if (WCF::getSession()->getPermission('user.profile.canViewUserProfile')) {
+			foreach ($events as $event) {
+				$responseIDs[] = $event->objectID;
+			}
+			
+			// fetch responses
+			$responseList = new CommentResponseList();
+			$responseList->getConditionBuilder()->add("comment_response.responseID IN (?)", array($responseIDs));
+			$responseList->readObjects();
+			$responses = $responseList->getObjects();
+			
+			// fetch comments
+			$commentIDs = $comments = array();
+			foreach ($responses as $response) {
+				$commentIDs[] = $response->commentID;
+			}
+			if (!empty($commentIDs)) {
+				$commentList = new CommentList();
+				$commentList->getConditionBuilder()->add("comment.commentID IN (?)", array($commentIDs));
+				$commentList->readObjects();
+				$comments = $commentList->getObjects();
+			}
+			
+			// fetch users
+			$userIDs = $users = array();
+			foreach ($comments as $comment) {
+				$userIDs[] = $comment->objectID;
+				$userIDs[] = $comment->userID;
+			}
+			if (!empty($userIDs)) {
+				$userList = new UserProfileList();
+				$userList->getConditionBuilder()->add("user_table.userID IN (?)", array($userIDs));
+				$userList->readObjects();
+				$users = $userList->getObjects();
+			}
 		}
 		
 		// set message
diff --git a/wcfsetup/install/files/lib/system/user/activity/event/ProfileCommentUserActivityEvent.class.php b/wcfsetup/install/files/lib/system/user/activity/event/ProfileCommentUserActivityEvent.class.php
index fbbd94ed7f..0ba8b1d51d 100644
--- a/wcfsetup/install/files/lib/system/user/activity/event/ProfileCommentUserActivityEvent.class.php
+++ b/wcfsetup/install/files/lib/system/user/activity/event/ProfileCommentUserActivityEvent.class.php
@@ -21,27 +21,30 @@ class ProfileCommentUserActivityEvent extends SingletonFactory implements IUserA
 	 * @see	wcf\system\user\activity\event\IUserActivityEvent::prepare()
 	 */
 	public function prepare(array $events) {
-		$comentIDs = array();
-		foreach ($events as $event) {
-			$comentIDs[] = $event->objectID;
-		}
-		
-		// fetch comments
-		$commentList = new CommentList();
-		$commentList->getConditionBuilder()->add("comment.commentID IN (?)", array($comentIDs));
-		$commentList->readObjects();
-		$comments = $commentList->getObjects();
+		$comments = $comentIDs = array();
 		
-		// fetch users
-		$userIDs = $users = array();
-		foreach ($comments as $comment) {
-			$userIDs[] = $comment->objectID;
-		}
-		if (!empty($userIDs)) {
-			$userList = new UserProfileList();
-			$userList->getConditionBuilder()->add("user_table.userID IN (?)", array($userIDs));
-			$userList->readObjects();
-			$users = $userList->getObjects();
+		if (WCF::getSession()->getPermission('user.profile.canViewUserProfile')) {
+			foreach ($events as $event) {
+				$comentIDs[] = $event->objectID;
+			}
+			
+			// fetch comments
+			$commentList = new CommentList();
+			$commentList->getConditionBuilder()->add("comment.commentID IN (?)", array($comentIDs));
+			$commentList->readObjects();
+			$comments = $commentList->getObjects();
+			
+			// fetch users
+			$userIDs = $users = array();
+			foreach ($comments as $comment) {
+				$userIDs[] = $comment->objectID;
+			}
+			if (!empty($userIDs)) {
+				$userList = new UserProfileList();
+				$userList->getConditionBuilder()->add("user_table.userID IN (?)", array($userIDs));
+				$userList->readObjects();
+				$users = $userList->getObjects();
+			}
 		}
 		
 		// set message
-- 
2.20.1