feat: whitelist for user visibility

2026-03-14 15:45:02 +00:00 · 2026-03-14 16:43:00 +01:00
parent d374ea9651
commit f08e343e17
8 changed files with 67 additions and 18 deletions
--- a/core/models.py
+++ b/core/models.py
@@ -131,7 +131,7 @@ class UserQuerySet(models.QuerySet):
        if user.has_perm("core.view_hidden_user"):
            return self
        if user.has_perm("core.view_user"):
-            return self.filter(is_viewable=True)
+            return self.filter(Q(is_viewable=True) | Q(whitelisted_users=user))
        if user.is_anonymous:
            return self.none()
        return self.filter(id=user.id)
@@ -279,6 +279,15 @@ class User(AbstractUser):
        ),
        default=True,
    )
+    whitelisted_users = models.ManyToManyField(
+        "User",
+        related_name="visible_by_whitelist",
+        verbose_name=_("whitelisted users"),
+        help_text=_(
+            "If this profile is hidden, "
+            "the users in this list will still be able to see it."
+        ),
+    )
    godfathers = models.ManyToManyField("User", related_name="godchildren", blank=True)

    objects = CustomUserManager()
@@ -567,10 +576,31 @@ class User(AbstractUser):
        return user.is_root or user.is_board_member

    def can_be_viewed_by(self, user: User) -> bool:
+        """Check if the given user can be viewed by this user.
+
+        Given users A and B. A can be viewed by B if :
+
+        - A and B are the same user
+        - or B has the permission to view hidden users
+        - or B can view users in general and A didn't hide its profile
+        - or B is in A's whitelist.
+        """
+
+        def is_in_whitelist(u: User):
+            if (
+                hasattr(self, "_prefetched_objects_cache")
+                and "whitelisted_users" in self._prefetched_objects_cache
+            ):
+                return u in self.whitelisted_users.all()
+            return self.whitelisted_users.contains(u)
+
        return (
            user.id == self.id
            or user.has_perm("core.view_hidden_user")
-            or (user.has_perm("core.view_user") and self.is_viewable)
+            or (
+                user.has_perm("core.view_user")
+                and (self.is_viewable or is_in_whitelist(user))
+            )
        )

    def get_mini_item(self):