From bfb6652560fee2d1d61f9d7272e2b5b89f4f129e Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Sun, 30 Apr 2017 19:57:24 +0200
Subject: [PATCH] Suppress user popover when user may not view profiles

See #2263
---
 com.woltlab.wcf/templates/headIncludeJavaScript.tpl          | 1 +
 .../install/files/js/WoltLabSuite/Core/BootstrapFrontend.js  | 5 ++++-
 .../install/files/lib/data/user/UserProfileAction.class.php  | 2 ++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/com.woltlab.wcf/templates/headIncludeJavaScript.tpl b/com.woltlab.wcf/templates/headIncludeJavaScript.tpl
index 62c44a6b03..7480ccced1 100644
--- a/com.woltlab.wcf/templates/headIncludeJavaScript.tpl
+++ b/com.woltlab.wcf/templates/headIncludeJavaScript.tpl
@@ -118,6 +118,7 @@ requirejs.config({
 				url: '{link controller="BackgroundQueuePerform"}{/link}',
 				force: {if $forceBackgroundQueuePerform|isset}true{else}false{/if}
 			},
+			enableUserPopover: {if $__wcf->getSession()->getPermission('user.profile.canViewUserProfile')}true{else}false{/if},
 			styleChanger: {if $__wcf->getStyleHandler()->showStyleChanger()}true{else}false{/if}
 		});
 		
diff --git a/wcfsetup/install/files/js/WoltLabSuite/Core/BootstrapFrontend.js b/wcfsetup/install/files/js/WoltLabSuite/Core/BootstrapFrontend.js
index 801fc597a1..3cf345d080 100644
--- a/wcfsetup/install/files/js/WoltLabSuite/Core/BootstrapFrontend.js
+++ b/wcfsetup/install/files/js/WoltLabSuite/Core/BootstrapFrontend.js
@@ -41,7 +41,10 @@ define(
 				ControllerStyleChanger.setup();
 			}
 			
-			this._initUserPopover();
+			if (options.enableUserPopover) {
+				this._initUserPopover();
+			}
+			
 			this._invokeBackgroundQueue(options.backgroundQueue.url, options.backgroundQueue.force);
 			
 			UiUserIgnore.init();
diff --git a/wcfsetup/install/files/lib/data/user/UserProfileAction.class.php b/wcfsetup/install/files/lib/data/user/UserProfileAction.class.php
index 79a005eb63..35c7d5c459 100644
--- a/wcfsetup/install/files/lib/data/user/UserProfileAction.class.php
+++ b/wcfsetup/install/files/lib/data/user/UserProfileAction.class.php
@@ -77,6 +77,8 @@ class UserProfileAction extends UserAction {
 	 * Validates user profile preview.
 	 */
 	public function validateGetUserProfile() {
+		WCF::getSession()->checkPermissions(['user.profile.canViewUserProfile']);
+		
 		if (count($this->objectIDs) != 1) {
 			throw new UserInputException('objectIDs');
 		}
-- 
2.20.1