Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Hide user profiles from public 

User profiles, including the summary, should be private to anonymous
users if hide_user_profiles_from_public is enabled.
This commit is contained in:
Bianca Nenciu 2023-09-27 20:10:26 +03:00 committed by Penar Musaraj
parent 6350ba2cb3
commit 76bdea5ce2
No known key found for this signature in database
GPG Key ID: E390435D881FF0F7
3 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/controllers/users_controller.rb
View File

@ -114,9 +114,7 @@ class UsersController < ApplicationController
end end
def show(for_card: false) def show(for_card: false)
if SiteSetting.hide_user_profiles_from_public && !current_user guardian.ensure_public_can_see_profiles!
raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403)
end
@user = @user =
fetch_user_from_params( fetch_user_from_params(
@ -165,9 +163,7 @@ class UsersController < ApplicationController
# This route is not used in core, but is used by theme components (e.g. https://meta.discourse.org/t/144479) # This route is not used in core, but is used by theme components (e.g. https://meta.discourse.org/t/144479)
def cards def cards
if SiteSetting.hide_user_profiles_from_public && !current_user guardian.ensure_public_can_see_profiles!
raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403)
end
user_ids = params.require(:user_ids).split(",").map(&:to_i) user_ids = params.require(:user_ids).split(",").map(&:to_i)
raise Discourse::InvalidParameters.new(:user_ids) if user_ids.length > 50 raise Discourse::InvalidParameters.new(:user_ids) if user_ids.length > 50
@ -496,6 +492,8 @@ class UsersController < ApplicationController
end end
def summary def summary
guardian.ensure_public_can_see_profiles!
@user = @user =
fetch_user_from_params( fetch_user_from_params(
include_inactive: include_inactive:

4
lib/guardian/user_guardian.rb
View File

@ -122,6 +122,10 @@ module UserGuardian
true true
end end
def public_can_see_profiles?
!SiteSetting.hide_user_profiles_from_public || !anonymous?
end
def can_see_profile?(user) def can_see_profile?(user)
return false if user.blank? return false if user.blank?
return true if !SiteSetting.allow_users_to_hide_profile? return true if !SiteSetting.allow_users_to_hide_profile?

18
spec/requests/users_controller_spec.rb
View File

@ -4151,6 +4151,24 @@ RSpec.describe UsersController do
expect(json["user_summary"]["post_count"]).to eq(0) expect(json["user_summary"]["post_count"]).to eq(0)
end end
context "when `hide_user_profiles_from_public` site setting is enabled" do
before { SiteSetting.hide_user_profiles_from_public = true }
it "returns 200 for logged in users" do
sign_in(Fabricate(:user))
get "/u/#{user.username_lower}/summary.json"
expect(response.status).to eq(200)
end
it "returns 403 for anonymous users" do
get "/u/#{user.username_lower}/summary.json"
expect(response.status).to eq(403)
end
end
context "when `hide_profile_and_presence` user option is checked" do context "when `hide_profile_and_presence` user option is checked" do
before_all { user1.user_option.update_columns(hide_profile_and_presence: true) } before_all { user1.user_option.update_columns(hide_profile_and_presence: true) }