Fix leak of invisible participants in conversation dropdown

BurntimeX · BurntimeX · commit 1696e9b60466 · 2025-01-13T13:27:46.000+01:00
ref https://www.woltlab.com/community/thread/310591
diff --git a/files/lib/data/conversation/Conversation.class.php b/files/lib/data/conversation/Conversation.class.php
@@ -382,7 +382,7 @@ public function getParticipantIDs($excludeLeftParticipants = false)
      * @param bool $leftByOwnChoice
      * @return  string[]
      */
-    public function getParticipantNames($excludeSelf = false, $leftByOwnChoice = false)
+    public function getParticipantNames($excludeSelf = false, $leftByOwnChoice = false, bool $isAuthor = false)
     {
         $conditions = new PreparedStatementConditionBuilder();
         $conditions->add("conversationID = ?", [$this->conversationID]);
@@ -392,6 +392,9 @@ public function getParticipantNames($excludeSelf = false, $leftByOwnChoice = fal
         if ($leftByOwnChoice) {
             $conditions->add("conversation_to_user.leftByOwnChoice = ?", [1]);
         }
+        if (!$isAuthor) {
+            $conditions->add("conversation_to_user.isInvisible = ?", [0]);
+        }
 
         $sql = "SELECT      user_table.username
                 FROM        wcf" . WCF_N . "_conversation_to_user conversation_to_user
diff --git a/files/lib/data/conversation/ConversationAction.class.php b/files/lib/data/conversation/ConversationAction.class.php
@@ -919,9 +919,7 @@ public function getConversations(): array
             } else {
                 if ($conversation->participants > 1) {
                     $image = '<span class="icon icon48 fa-users"></span>';
-                    $usernames = \array_filter($conversation->getParticipantNames(), static function ($username) use ($conversation) {
-                        return $username !== $conversation->getUserProfile()->username;
-                    });
+                    $usernames = $conversation->getParticipantNames(true);
                 } else {
                     $image = $conversation->getUserProfile()->getAvatar()->getImageTag(48);
                     $usernames = [$conversation->getUserProfile()->username];
@@ -1002,7 +1000,11 @@ public function getAddParticipantsForm()
         }
 
         return [
-            'excludedSearchValues' => $this->conversation->getParticipantNames(false, true),
+            'excludedSearchValues' => $this->conversation->getParticipantNames(
+                false,
+                true,
+                $this->conversation->userID == WCF::getUser()->userID
+            ),
             'maxItems' => WCF::getSession()->getPermission('user.conversation.maxParticipants') - $this->conversation->participants,
             'canAddGroupParticipants' => WCF::getSession()->getPermission('user.conversation.canAddGroupParticipants'),
             'template' => WCF::getTPL()->fetch(
