Refine profile privacy controls

2025-12-23 19:11:12 -05:00 · 2025-09-29 02:46:03 +00:00
parent 50d75e0924
commit 93075ba6ca
5 changed files with 241 additions and 43 deletions
--- a/src/hooks/useProfileFieldAccess.ts
+++ b/src/hooks/useProfileFieldAccess.ts
@@ -0,0 +1,94 @@
+import { useState, useEffect } from 'react';
+import { supabase } from '@/integrations/supabase/client';
+import { useAuth } from '@/hooks/useAuth';
+
+interface ProfileFieldAccess {
+  [fieldName: string]: boolean;
+}
+
+export function useProfileFieldAccess(profileUserId: string | null | undefined) {
+  const { user } = useAuth();
+  const [fieldAccess, setFieldAccess] = useState<ProfileFieldAccess>({});
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    if (!profileUserId) {
+      setLoading(false);
+      return;
+    }
+
+    checkFieldAccess();
+  }, [profileUserId, user?.id]);
+
+  const checkFieldAccess = async () => {
+    if (!profileUserId || !user?.id) {
+      setLoading(false);
+      return;
+    }
+
+    try {
+      setLoading(true);
+      
+      // Fields that might need privacy checking
+      const fieldsToCheck = [
+        'date_of_birth',
+        'personal_location',
+        'location_id',
+        'preferred_pronouns',
+        'home_park_id',
+        'bio',
+        'avatar_url',
+        'avatar_image_id'
+      ];
+
+      const accessChecks: ProfileFieldAccess = {};
+
+      // Check each field individually using our security definer function
+      for (const field of fieldsToCheck) {
+        const { data, error } = await supabase.rpc('can_view_profile_field', {
+          _viewer_id: user.id,
+          _profile_user_id: profileUserId,
+          _field_name: field
+        });
+
+        if (error) {
+          console.error(`Error checking access for field ${field}:`, error);
+          accessChecks[field] = false;
+        } else {
+          accessChecks[field] = data === true;
+        }
+      }
+
+      setFieldAccess(accessChecks);
+    } catch (error) {
+      console.error('Error checking field access:', error);
+      // Default to denying access on error
+      setFieldAccess({});
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const canViewField = (fieldName: string): boolean => {
+    if (!profileUserId || !user?.id) {
+      return false;
+    }
+
+    // Users can always see their own fields
+    if (user.id === profileUserId) {
+      return true;
+    }
+
+    return fieldAccess[fieldName] || false;
+  };
+
+  const refresh = () => {
+    checkFieldAccess();
+  };
+
+  return {
+    canViewField,
+    loading,
+    refresh
+  };
+}