From 76bdea5ce2b88e9f43b075fb0188c66ddb2593a7 Mon Sep 17 00:00:00 2001
From: Bianca Nenciu <nenciu.bianca@gmail.com>
Date: Wed, 27 Sep 2023 20:10:26 +0300
Subject: [PATCH] SECURITY: Hide user profiles from public

User profiles, including the summary, should be private to anonymous
users if hide_user_profiles_from_public is enabled.
---
 app/controllers/users_controller.rb    | 10 ++++------
 lib/guardian/user_guardian.rb          |  4 ++++
 spec/requests/users_controller_spec.rb | 18 ++++++++++++++++++
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 4fa518e6f35..1b8280a5b79 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -114,9 +114,7 @@ class UsersController < ApplicationController
   end
 
   def show(for_card: false)
-    if SiteSetting.hide_user_profiles_from_public && !current_user
-      raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403)
-    end
+    guardian.ensure_public_can_see_profiles!
 
     @user =
       fetch_user_from_params(
@@ -165,9 +163,7 @@ class UsersController < ApplicationController
 
   # This route is not used in core, but is used by theme components (e.g. https://meta.discourse.org/t/144479)
   def cards
-    if SiteSetting.hide_user_profiles_from_public && !current_user
-      raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403)
-    end
+    guardian.ensure_public_can_see_profiles!
 
     user_ids = params.require(:user_ids).split(",").map(&:to_i)
     raise Discourse::InvalidParameters.new(:user_ids) if user_ids.length > 50
@@ -496,6 +492,8 @@ class UsersController < ApplicationController
   end
 
   def summary
+    guardian.ensure_public_can_see_profiles!
+
     @user =
       fetch_user_from_params(
         include_inactive:
diff --git a/lib/guardian/user_guardian.rb b/lib/guardian/user_guardian.rb
index 5f605adab5e..135fd5feeb4 100644
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@@ -122,6 +122,10 @@ module UserGuardian
     true
   end
 
+  def public_can_see_profiles?
+    !SiteSetting.hide_user_profiles_from_public || !anonymous?
+  end
+
   def can_see_profile?(user)
     return false if user.blank?
     return true if !SiteSetting.allow_users_to_hide_profile?
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 37182039147..c4aff9b6bbe 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -4151,6 +4151,24 @@ RSpec.describe UsersController do
       expect(json["user_summary"]["post_count"]).to eq(0)
     end
 
+    context "when `hide_user_profiles_from_public` site setting is enabled" do
+      before { SiteSetting.hide_user_profiles_from_public = true }
+
+      it "returns 200 for logged in users" do
+        sign_in(Fabricate(:user))
+
+        get "/u/#{user.username_lower}/summary.json"
+
+        expect(response.status).to eq(200)
+      end
+
+      it "returns 403 for anonymous users" do
+        get "/u/#{user.username_lower}/summary.json"
+
+        expect(response.status).to eq(403)
+      end
+    end
+
     context "when `hide_profile_and_presence` user option is checked" do
       before_all { user1.user_option.update_columns(hide_profile_and_presence: true) }