From 065c065b3b9d0e48e05b5fda8cf58b100f35d5f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= <j.wielicki@sotecware.net>
Date: Wed, 20 Jan 2021 16:10:42 +0100
Subject: [PATCH] Determine the profile visiblity more conservatively

This will ensure that the user is not incorrectly shown a lower
visibility level than parts of their profile have.
---
 snikket_web/prosodyclient.py | 36 ++++++++++++++++++++++++++++++++++++
 snikket_web/user.py          |  8 +-------
 2 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/snikket_web/prosodyclient.py b/snikket_web/prosodyclient.py
index 67d30d0..753c53d 100644
--- a/snikket_web/prosodyclient.py
+++ b/snikket_web/prosodyclient.py
@@ -687,6 +687,42 @@ class ProsodyClient:
         )
         xmpputil.extract_iq_reply(metadata_resp)
 
+    @autosession
+    async def guess_profile_access_model(
+            self,
+            *,
+            session: aiohttp.ClientSession,
+            ) -> str:
+        access_models = filter(
+            lambda x: not isinstance(x, quart.exceptions.NotFound),
+            await asyncio.gather(
+                self.get_avatar_access_model(session=session),
+                self.get_nickname_access_model(session=session),
+                self.get_vcard_access_model(session=session),
+                return_exceptions=True,
+            )
+        )
+
+        order = [
+            "open",
+            "presence",
+            "whitelist",
+        ]
+
+        worst_index: typing.Optional[int] = None
+        for model in access_models:
+            if isinstance(model, BaseException):
+                raise model
+            try:
+                index = order.index(model)
+            except ValueError:
+                index = 0
+
+            if worst_index is None or index < worst_index:
+                worst_index = index
+
+        return order[worst_index or 0]
+
     async def change_password(
             self,
             current_password: str,
diff --git a/snikket_web/user.py b/snikket_web/user.py
index 98c7133..44d3110 100644
--- a/snikket_web/user.py
+++ b/snikket_web/user.py
@@ -111,13 +111,7 @@ async def profile() -> typing.Union[str, quart.Response]:
         # TODO: find a better way to determine the access model, e.g. by
         # taking the first access model which is defined in [nickname, avatar,
         # vcard] or by taking the most open one.-
-        try:
-            profile_access_model = await client.get_nickname_access_model()
-        except quart.exceptions.NotFound:
-            # avatar node does not exist yet, default the access model to
-            # presence
-            # that is what will be set if the user now adds a new avatar.
-            profile_access_model = "presence"
+        profile_access_model = await client.guess_profile_access_model()
         form.nickname.data = user_info.get("nickname", "")
         form.profile_access_model.data = profile_access_model