added additional visibility masks for profile menu hook, also added isPrivileged user method, closes #5306

src/controllers/accounts/helpers.js

@@ -119,7 +119,13 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 			userData['reputation:disabled'] = parseInt(meta.config['reputation:disabled'], 10) === 1;
 			userData['downvote:disabled'] = parseInt(meta.config['downvote:disabled'], 10) === 1;
 			userData['email:confirmed'] = !!parseInt(userData['email:confirmed'], 10);
-			userData.profile_links = filterLinks(results.profile_links.concat(results.profile_menu.links), isSelf);
+			userData.profile_links = filterLinks(results.profile_links.concat(results.profile_menu.links), {
+				self: isSelf,
+				other: !isSelf,
+				moderator: isModerator,
+				globalMod: isGlobalModerator,
+				admin: isAdmin
+			});
 
 			userData.sso = results.sso.associations;
 			userData.status = user.getStatus(userData);
@@ -154,9 +160,30 @@ helpers.getBaseUser = function (userslug, callerUID, callback) {
 	helpers.getUserDataByUserSlug(userslug, callerUID, callback);
 };
 
-function filterLinks(links, self) {
+function filterLinks(links, states) {
-	return links.filter(function (link) {
+	return links.filter(function (link, index) {
-		return link && (link.public || self);
+		// "public" is the old property, if visibility is defined, discard `public`
+		if (link.hasOwnProperty('public') && !link.hasOwnProperty('visibility')) {
+			winston.warn('[account/profileMenu (' + link.id + ')] Use of the `.public` property is deprecated, use `visibility` now');
+			return link && (link.public || states.self);
+		}
+
+		// Default visibility
+		link.visibility = Object.assign({
+			self: true,
+			other: true,
+			moderator: true,
+			globalMod: true,
+			admin: true
+		}, link.visibility);
+
+		// Iterate through states and permit if every test passes (or is not defined)
+		var permit = Object.keys(states).some(function (state) {
+			return states[state] === link.visibility[state];
+		});
+
+		links[index].public = permit;
+		return permit;
 	});
 }
 

src/middleware/index.js

@@ -73,6 +73,30 @@ middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) {
 	}
 };
 
+middleware.ensureSelfOrPrivileged = function (req, res, next) {
+	/*
+		The "self" part of this middleware hinges on you having used
+		middleware.exposeUid prior to invoking this middleware.
+	*/
+	if (req.user) {
+		if (req.user.uid === res.locals.uid) {
+			return next();
+		}
+
+		user.isPrivileged(req.uid, function (err, ok) {
+			if (err) {
+				return next(err);
+			} else if (ok) {
+				return next();
+			} else {
+				controllers.helpers.notAllowed(req, res);
+			}
+		});
+	} else {
+		controllers.helpers.notAllowed(req, res);
+	}
+};
+
 middleware.pageView = function (req, res, next) {
 	analytics.pageView({
 		ip: req.ip,

src/user.js

@@ -256,6 +256,16 @@ var meta = require('./meta');
 		privileges.users.isGlobalModerator(uid, callback);
 	};
 
+	User.isPrivileged = function (uid, callback) {
+		async.parallel([
+			async.apply(User.isAdministrator, uid),
+			async.apply(User.isGlobalModerator, uid),
+			async.apply(User.isModeratorOfAnyCategory, uid)
+		], function (err, results) {
+			callback(err, results ? results.some(Boolean) : false);
+		});
+	};
+
 	User.isAdminOrGlobalMod = function (uid, callback) {
 		async.parallel({
 			isAdmin: async.apply(User.isAdministrator, uid),