diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 4fa518e6f35..1b8280a5b79 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -114,9 +114,7 @@ class UsersController < ApplicationController end def show(for_card: false) - if SiteSetting.hide_user_profiles_from_public && !current_user - raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403) - end + guardian.ensure_public_can_see_profiles! @user = fetch_user_from_params( @@ -165,9 +163,7 @@ class UsersController < ApplicationController # This route is not used in core, but is used by theme components (e.g. https://meta.discourse.org/t/144479) def cards - if SiteSetting.hide_user_profiles_from_public && !current_user - raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403) - end + guardian.ensure_public_can_see_profiles! user_ids = params.require(:user_ids).split(",").map(&:to_i) raise Discourse::InvalidParameters.new(:user_ids) if user_ids.length > 50 @@ -496,6 +492,8 @@ class UsersController < ApplicationController end def summary + guardian.ensure_public_can_see_profiles! + @user = fetch_user_from_params( include_inactive: diff --git a/lib/guardian/user_guardian.rb b/lib/guardian/user_guardian.rb index 5f605adab5e..135fd5feeb4 100644 --- a/lib/guardian/user_guardian.rb +++ b/lib/guardian/user_guardian.rb @@ -122,6 +122,10 @@ module UserGuardian true end + def public_can_see_profiles? + !SiteSetting.hide_user_profiles_from_public || !anonymous? + end + def can_see_profile?(user) return false if user.blank? return true if !SiteSetting.allow_users_to_hide_profile? diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index 37182039147..c4aff9b6bbe 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -4151,6 +4151,24 @@ RSpec.describe UsersController do expect(json["user_summary"]["post_count"]).to eq(0) end + context "when `hide_user_profiles_from_public` site setting is enabled" do + before { SiteSetting.hide_user_profiles_from_public = true } + + it "returns 200 for logged in users" do + sign_in(Fabricate(:user)) + + get "/u/#{user.username_lower}/summary.json" + + expect(response.status).to eq(200) + end + + it "returns 403 for anonymous users" do + get "/u/#{user.username_lower}/summary.json" + + expect(response.status).to eq(403) + end + end + context "when `hide_profile_and_presence` user option is checked" do before_all { user1.user_option.update_columns(hide_profile_and_presence: true) }