Separate secret and private channels on whois for non-opers (#1447)

Separate secret and private channels on WHOIS for all users.

- Move the config parsing from the core to core_whois.
- Replace <security:operspywhois> with an oper privilege.
- Introduce <options:splitwhois> to split WHOIS channel lists.

Closes #969.

5 files changed, 73 insertions, 37 deletions

diff --git a/docs/conf/inspircd.conf.example b/docs/conf/inspircd.conf.example
index 980409863..fba17b8cc 100644
--- a/docs/conf/inspircd.conf.example
+++ b/docs/conf/inspircd.conf.example
@@ -602,6 +602,13 @@
          # serverpingfreq: How often pings are sent between servers.
          serverpingfreq="1m"
 
+         # splitwhois: Whether to split private/secret channels from normal channels
+         # in WHOIS responses. Possible values for this are:
+         # 'no' - list all channels together in the WHOIS response regardless of type.
+         # 'split' - split private/secret channels to a separate WHOIS response numeric.
+         # 'splitmsg' - the same as split but also send a message explaining the split.
+         splitwhois="no"
+
          # defaultmodes: What modes are set on a empty channel when a user
          # joins it and it is unregistered.
          defaultmodes="not"
@@ -720,12 +727,6 @@
           # of the VERSION command response. This does not hide the InspIRCd version.
           customversion=""
 
-          # operspywhois: show opers (users/auspex) the +s channels a user is in. Values:
-          #  splitmsg  Split with an explanatory message
-          #  yes       Split with no explanatory message
-          #  no        Do not show
-          operspywhois="no"
-
           # runasuser: If this is set, InspIRCd will attempt to switch
           # to run as this user, which allows binding of ports under 1024.
           # You should NOT set this unless you are starting as root.
diff --git a/docs/conf/opers.conf.example b/docs/conf/opers.conf.example
index 5e1ec28f5..a3dfd9311 100644
--- a/docs/conf/opers.conf.example
+++ b/docs/conf/opers.conf.example
@@ -21,6 +21,7 @@
      #  VIEWING:
      #   - channels/auspex: allows opers with this priv to see more detail about channels than normal users.
      #   - users/auspex: allows opers with this priv to view more details about users than normal users, e.g. real host and IP.
+     #   - users/channel-spy: allows opers with this priv to view the private/secret channels that a user is on.
      #   - servers/auspex: allows opers with this priv to see more detail about server information than normal users.
      # ACTIONS:
      #   - users/mass-message: allows opers with this priv to PRIVMSG and NOTICE to a server mask (e.g. NOTICE $*)
diff --git a/include/configreader.h b/include/configreader.h
index 1a2335e52..5db6cc44b 100644
--- a/include/configreader.h
+++ b/include/configreader.h
@@ -259,7 +259,6 @@ class CoreExport ServerConfig
 
 	/** Used to indicate who we announce invites to on a channel */
 	enum InviteAnnounceState { INVITE_ANNOUNCE_NONE, INVITE_ANNOUNCE_ALL, INVITE_ANNOUNCE_OPS, INVITE_ANNOUNCE_DYNAMIC };
-	enum OperSpyWhoisState { SPYWHOIS_NONE, SPYWHOIS_SINGLEMSG, SPYWHOIS_SPLITMSG };
 
   	/** This holds all the information in the config file,
 	 * it's indexed by tag name to a vector of key/values.
@@ -377,11 +376,6 @@ class CoreExport ServerConfig
 	 */
 	InviteAnnounceState AnnounceInvites;
 
-	/** If this is enabled then operators will
-	 * see invisible (+i) channels in /whois.
-	 */
-	OperSpyWhoisState OperSpyWhois;
-
 	/** True if raw I/O is being logged */
 	bool RawLog;
 
diff --git a/src/configreader.cpp b/src/configreader.cpp
index 970aaba80..4643c7613 100644
--- a/src/configreader.cpp
+++ b/src/configreader.cpp
@@ -503,14 +503,6 @@ void ServerConfig::Fill()
 		AnnounceInvites = ServerConfig::INVITE_ANNOUNCE_DYNAMIC;
 	else
 		AnnounceInvites = ServerConfig::INVITE_ANNOUNCE_NONE;
-
-	v = security->getString("operspywhois");
-	if (v == "splitmsg")
-		OperSpyWhois = SPYWHOIS_SPLITMSG;
-	else if (v == "on" || v == "yes")
-		OperSpyWhois = SPYWHOIS_SINGLEMSG;
-	else
-		OperSpyWhois = SPYWHOIS_NONE;
 }
 
 // WARNING: it is not safe to use most of the codebase in this function, as it
diff --git a/src/coremods/core_whois.cpp b/src/coremods/core_whois.cpp
index b5191dabd..ca3b6f733 100644
--- a/src/coremods/core_whois.cpp
+++ b/src/coremods/core_whois.cpp
@@ -37,6 +37,18 @@ enum
 	RPL_CHANNELSMSG = 651
 };
 
+enum SplitWhoisState
+{
+	// Don't split private/secret channels into a separate RPL_WHOISCHANNELS numeric.
+	SPLITWHOIS_NONE,
+
+	// Split private/secret channels into a separate RPL_WHOISCHANNELS numeric.
+	SPLITWHOIS_SPLIT,
+
+	// Split private/secret channels into a separate RPL_WHOISCHANNELS numeric with RPL_CHANNELSMSG to explain the split.
+	SPLITWHOIS_SPLITMSG
+};
+
 class WhoisContextImpl : public Whois::Context
 {
 	Events::ModuleEventProvider& lineevprov;
@@ -75,6 +87,8 @@ class CommandWhois : public SplitCommand
 	void SendChanList(WhoisContextImpl& whois);
 
  public:
+	SplitWhoisState splitwhois;
+
 	/** Constructor for whois.
 	 */
 	CommandWhois(Module* parent)
@@ -125,9 +139,9 @@ class WhoisChanListNumericBuilder : public Numeric::GenericBuilder<' ', false, W
 
 class WhoisChanList
 {
-	const ServerConfig::OperSpyWhoisState spywhois;
+	const SplitWhoisState& splitwhois;
 	WhoisChanListNumericBuilder num;
-	WhoisChanListNumericBuilder spynum;
+	WhoisChanListNumericBuilder secretnum;
 	std::string prefixstr;
 
 	void AddMember(Membership* memb, WhoisChanListNumericBuilder& out)
@@ -140,10 +154,10 @@ class WhoisChanList
 	}
 
  public:
-	WhoisChanList(WhoisContextImpl& whois)
-		: spywhois(whois.GetSource()->HasPrivPermission("users/auspex") ? ServerInstance->Config->OperSpyWhois : ServerConfig::SPYWHOIS_NONE)
+	WhoisChanList(WhoisContextImpl& whois, const SplitWhoisState& sws)
+		: splitwhois(sws)
 		, num(whois)
-		, spynum(whois)
+		, secretnum(whois)
 	{
 	}
 
@@ -154,35 +168,38 @@ class WhoisChanList
 
 	void AddHidden(Membership* memb)
 	{
-		if (spywhois == ServerConfig::SPYWHOIS_NONE)
-			return;
-		AddMember(memb, (spywhois == ServerConfig::SPYWHOIS_SPLITMSG ? spynum : num));
+		AddMember(memb, splitwhois == SPLITWHOIS_NONE ? num : secretnum);
 	}
 
 	void Flush(WhoisContextImpl& whois)
 	{
 		num.Flush();
-		if (!spynum.IsEmpty())
+		if (!secretnum.IsEmpty() && splitwhois == SPLITWHOIS_SPLITMSG)
 			whois.SendLine(RPL_CHANNELSMSG, "is on private/secret channels:");
-		spynum.Flush();
+		secretnum.Flush();
 	}
 };
 
 void CommandWhois::SendChanList(WhoisContextImpl& whois)
 {
-	WhoisChanList chanlist(whois);
+	WhoisChanList chanlist(whois, splitwhois);
 
 	User* const target = whois.GetTarget();
+	bool hasoperpriv = whois.GetSource()->HasPrivPermission("users/channel-spy");
 	for (User::ChanList::iterator i = target->chans.begin(); i != target->chans.end(); ++i)
 	{
 		Membership* memb = *i;
 		Channel* c = memb->chan;
-		/* If the target is the sender, neither +p nor +s is set, or
-		 * the channel contains the user, it is not a spy channel
-		 */
-		if ((whois.IsSelfWhois()) || ((!c->IsModeSet(privatemode)) && (!c->IsModeSet(secretmode))) || (c->HasUser(whois.GetSource())))
+
+		// Anyone can view channels which are not private or secret.
+		if (!c->IsModeSet(privatemode) && !c->IsModeSet(secretmode))
 			chanlist.AddVisible(memb);
-		else
+
+		// Hidden channels are visible when the following conditions are true:
+		// (1) The source user and the target user are the same.
+		// (2) The source user is a member of the hidden channel.
+		// (3) The source user is an oper with the users/channel-spy privilege.
+		else if (whois.IsSelfWhois() || c->HasUser(whois.GetSource()) || hasoperpriv)
 			chanlist.AddHidden(memb);
 	}
 
@@ -318,4 +335,35 @@ CmdResult CommandWhois::HandleLocal(const std::vector<std::string>& parameters,
 	return CMD_SUCCESS;
 }
 
-COMMAND_INIT(CommandWhois)
+class CoreModWhois : public Module
+{
+ private:
+	CommandWhois cmd;
+
+ public:
+	CoreModWhois()
+		: cmd(this)
+	{
+	}
+
+	void ReadConfig(ConfigStatus&) CXX11_OVERRIDE
+	{
+		ConfigTag* tag = ServerInstance->Config->ConfValue("options");
+		const std::string splitwhois = tag->getString("splitwhois", "no");
+		if (stdalgo::string::equalsci(splitwhois, "no"))
+			cmd.splitwhois = SPLITWHOIS_NONE;
+		else if (stdalgo::string::equalsci(splitwhois, "split"))
+			cmd.splitwhois = SPLITWHOIS_SPLIT;
+		else if (stdalgo::string::equalsci(splitwhois, "splitmsg"))
+			cmd.splitwhois = SPLITWHOIS_SPLITMSG;
+		else
+			throw ModuleException(splitwhois + " is an invalid <security:splitwhois> value, at " + tag->getTagLocation()); 
+	}
+
+	Version GetVersion() CXX11_OVERRIDE
+	{
+		return Version("Provides the WHOIS command", VF_VENDOR|VF_CORE);
+	}
+};
+
+MODULE_INIT(CoreModWhois)