pacnpal/thrilltrack-explorer
1
0
Fork 0
mirror of https://github.com/pacnpal/thrilltrack-explorer.git synced 2025-12-24 12:31:14 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix profile privacy and simplify code

Browse Source
This commit is contained in:
gpt-engineer-app[bot]
2025-10-14 18:11:10 +00:00
parent 85c79ad511
commit 6698ee9a29
6 changed files with 100 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
src/components/profile/LocationDisplay.tsx
View File

@@ -1,49 +1,15 @@
import { useState, useEffect } from 'react';
import { MapPin } from 'lucide-react';
import { supabase } from '@/integrations/supabase/client';
interface LocationDisplayProps {
location: {
city?: string;
country: string;
};
userId: string;
isOwnProfile: boolean;
} | null | undefined;
}
export function LocationDisplay({ location, userId, isOwnProfile }: LocationDisplayProps) {
const [showLocation, setShowLocation] = useState(false);
useEffect(() => {
fetchLocationPrivacy();
}, [userId, isOwnProfile]);
const fetchLocationPrivacy = async () => {
try {
const { data: { user } } = await supabase.auth.getUser();
const viewerId = user?.id;
// Use the secure function to check location visibility
const { data, error } = await supabase
.rpc('can_view_user_location', {
_viewer_id: viewerId,
_profile_user_id: userId
});
if (error) {
console.error('Error checking location privacy:', error);
setShowLocation(false);
return;
}
setShowLocation(data || false);
} catch (error) {
console.error('Error checking location privacy:', error);
setShowLocation(false);
}
};
if (!showLocation) {
export function LocationDisplay({ location }: LocationDisplayProps) {
// get_filtered_profile() already handles privacy - if location is present, it's viewable
if (!location) {
return null;
}
@@ -53,4 +19,4 @@ export function LocationDisplay({ location, userId, isOwnProfile }: LocationDisp
{location.city ? `${location.city}, ${location.country}` : location.country}
</div>
);
}
}

42
src/components/profile/PersonalLocationDisplay.tsx
View File

@@ -1,46 +1,12 @@
import { useState, useEffect } from 'react';
import { MapPin } from 'lucide-react';
import { supabase } from '@/integrations/supabase/client';
interface PersonalLocationDisplayProps {
personalLocation: string;
userId: string;
isOwnProfile: boolean;
personalLocation: string | null | undefined;
}
export function PersonalLocationDisplay({ personalLocation, userId, isOwnProfile }: PersonalLocationDisplayProps) {
const [showLocation, setShowLocation] = useState(false);
useEffect(() => {
fetchLocationPrivacy();
}, [userId, isOwnProfile]);
const fetchLocationPrivacy = async () => {
try {
const { data: { user } } = await supabase.auth.getUser();
const viewerId = user?.id;
// Use the secure function to check location visibility
const { data, error } = await supabase
.rpc('can_view_user_location', {
_viewer_id: viewerId,
_profile_user_id: userId
});
if (error) {
console.error('Error checking location privacy:', error);
setShowLocation(false);
return;
}
setShowLocation(data || false);
} catch (error) {
console.error('Error fetching location privacy:', error);
setShowLocation(false);
}
};
if (!showLocation || !personalLocation) {
export function PersonalLocationDisplay({ personalLocation }: PersonalLocationDisplayProps) {
// get_filtered_profile() already handles privacy - if personalLocation is present, it's viewable
if (!personalLocation) {
return null;
}

42
src/hooks/useProfile.tsx
View File

@@ -10,25 +10,47 @@ export function useProfile(userId: string | undefined) {
queryFn: async () => {
if (!userId) return null;
console.log('[useProfile] Fetching profile for userId:', userId);
console.log('[useProfile] Fetching filtered profile for userId:', userId);
const { data, error } = await supabase
.from('profiles')
.select('*, location:locations(*)')
.eq('user_id', userId)
.maybeSingle();
// Get current viewer ID
const { data: { user } } = await supabase.auth.getUser();
const viewerId = user?.id || null;
// Use get_filtered_profile RPC for privacy-aware field filtering
const { data, error } = await supabase.rpc('get_filtered_profile', {
_profile_user_id: userId,
_viewer_id: viewerId
});
if (error) {
console.error('[useProfile] Error:', error);
throw error;
}
console.log('[useProfile] Profile loaded:', {
username: data?.username,
avatar_url: data?.avatar_url
if (!data) return null;
// Type assertion since we know the structure from the RPC function
const profileData = data as unknown as Profile;
// Fetch location separately if location_id is present and visible
if (profileData.location_id) {
const { data: location } = await supabase
.from('locations')
.select('*')
.eq('id', profileData.location_id)
.single();
if (location) {
profileData.location = location;
}
}
console.log('[useProfile] Filtered profile loaded:', {
username: profileData.username,
has_avatar: !!profileData.avatar_url
});
return data as Profile;
return profileData;
},
enabled: !!userId,
staleTime: 5 * 60 * 1000, // 5 minutes

94
src/hooks/useProfileFieldAccess.ts
View File

@@ -1,94 +0,0 @@
import { useState, useEffect } from 'react';
import { supabase } from '@/integrations/supabase/client';
import { useAuth } from '@/hooks/useAuth';
interface ProfileFieldAccess {
[fieldName: string]: boolean;
}
export function useProfileFieldAccess(profileUserId: string | null | undefined) {
const { user } = useAuth();
const [fieldAccess, setFieldAccess] = useState<ProfileFieldAccess>({});
const [loading, setLoading] = useState(true);
useEffect(() => {
if (!profileUserId) {
setLoading(false);
return;
}
checkFieldAccess();
}, [profileUserId, user?.id]);
const checkFieldAccess = async () => {
if (!profileUserId || !user?.id) {
setLoading(false);
return;
}
try {
setLoading(true);
// Fields that might need privacy checking
const fieldsToCheck = [
'date_of_birth',
'personal_location',
'location_id',
'preferred_pronouns',
'home_park_id',
'bio',
'avatar_url',
'avatar_image_id'
];
const accessChecks: ProfileFieldAccess = {};
// Check each field individually using our security definer function
for (const field of fieldsToCheck) {
const { data, error } = await supabase.rpc('can_view_profile_field', {
_viewer_id: user.id,
_profile_user_id: profileUserId,
_field_name: field
});
if (error) {
console.error(`Error checking access for field ${field}:`, error);
accessChecks[field] = false;
} else {
accessChecks[field] = data === true;
}
}
setFieldAccess(accessChecks);
} catch (error) {
console.error('Error checking field access:', error);
// Default to denying access on error
setFieldAccess({});
} finally {
setLoading(false);
}
};
const canViewField = (fieldName: string): boolean => {
if (!profileUserId || !user?.id) {
return false;
}
// Users can always see their own fields
if (user.id === profileUserId) {
return true;
}
return fieldAccess[fieldName] || false;
};
const refresh = () => {
checkFieldAccess();
};
return {
canViewField,
loading,
refresh
};
}

38
src/pages/Profile.tsx
View File

@@ -24,7 +24,6 @@ import { profileEditSchema } from '@/lib/validation';
import { LocationDisplay } from '@/components/profile/LocationDisplay';
import { UserBlockButton } from '@/components/profile/UserBlockButton';
import { PersonalLocationDisplay } from '@/components/profile/PersonalLocationDisplay';
import { useProfileFieldAccess } from '@/hooks/useProfileFieldAccess';
import { useUserRole } from '@/hooks/useUserRole';
export default function Profile() {
@@ -59,9 +58,6 @@ export default function Profile() {
});
const [recentActivity, setRecentActivity] = useState<any[]>([]);
const [activityLoading, setActivityLoading] = useState(false);
// Profile field access checking
const { canViewField, loading: fieldAccessLoading } = useProfileFieldAccess(profile?.user_id);
// User role checking
const { isModerator, loading: rolesLoading } = useUserRole();
@@ -489,9 +485,9 @@ export default function Profile() {
variant="avatar"
maxFiles={1}
maxSizeMB={1}
existingPhotos={canViewField('avatar_url') && profile.avatar_url ? [profile.avatar_url] : []}
existingPhotos={profile.avatar_url ? [profile.avatar_url] : []}
onUploadComplete={handleAvatarUpload}
currentImageId={avatarImageId}
currentImageId={avatarImageId}
onError={error => {
toast({
title: "Upload Error",
@@ -577,7 +573,7 @@ export default function Profile() {
{profile.display_name && <Badge variant="secondary" className="cursor-pointer hover:bg-secondary/80" onClick={() => navigate(`/profile/${profile.username}`)}>@{profile.username}</Badge>}
</div>
{canViewField('bio') && profile.bio && (
{profile.bio && (
<p className="text-muted-foreground mb-4 max-w-2xl">
{profile.bio}
</p>
@@ -592,31 +588,23 @@ export default function Profile() {
})}
</div>
{/* Show pronouns if enabled and privacy allows */}
{profile.show_pronouns && canViewField('preferred_pronouns') && profile.preferred_pronouns && (
{/* Show pronouns if enabled and present (privacy already enforced by get_filtered_profile) */}
{profile.show_pronouns && profile.preferred_pronouns && (
<div className="flex items-center gap-1">
<User className="w-4 h-4" />
{profile.preferred_pronouns}
</div>
)}
{/* Show personal location if available and privacy allows */}
{canViewField('personal_location') && profile.personal_location && (
<PersonalLocationDisplay
personalLocation={profile.personal_location}
userId={profile.user_id}
isOwnProfile={isOwnProfile}
/>
)}
{/* Show personal location (privacy already enforced by get_filtered_profile) */}
<PersonalLocationDisplay
personalLocation={profile.personal_location}
/>
{/* Show location only if privacy allows */}
{canViewField('location_id') && profile.location && (
<LocationDisplay
location={profile.location}
userId={profile.user_id}
isOwnProfile={isOwnProfile}
/>
)}
{/* Show location (privacy already enforced by get_filtered_profile) */}
<LocationDisplay
location={profile.location}
/>
</div>
</div>}
</div>