Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: hide rss feed & json if a user profile is hidden.

This commit is contained in:
Vinoth Kannan 2020-06-03 19:03:02 +05:30
parent fc0f112f16
commit 7fe414d35d
6 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/list_controller.rb
View File

@ -121,6 +121,8 @@ class ListController < ApplicationController
def topics_by def topics_by
list_opts = build_topic_list_options list_opts = build_topic_list_options
target_user = fetch_user_from_params({ include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts) }, [:user_stat, :user_option]) target_user = fetch_user_from_params({ include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts) }, [:user_stat, :user_option])
ensure_can_see_profile!(target_user)
list = generate_list_for("topics_by", target_user, list_opts) list = generate_list_for("topics_by", target_user, list_opts)
list.more_topics_url = construct_url_with(:next, list_opts) list.more_topics_url = construct_url_with(:next, list_opts)
list.prev_topics_url = construct_url_with(:prev, list_opts) list.prev_topics_url = construct_url_with(:prev, list_opts)
@ -205,6 +207,7 @@ class ListController < ApplicationController
def user_topics_feed def user_topics_feed
discourse_expires_in 1.minute discourse_expires_in 1.minute
target_user = fetch_user_from_params target_user = fetch_user_from_params
ensure_can_see_profile!(target_user)
@title = "#{SiteSetting.title} - #{I18n.t("rss_description.user_topics", username: target_user.username)}" @title = "#{SiteSetting.title} - #{I18n.t("rss_description.user_topics", username: target_user.username)}"
@link = "#{Discourse.base_url}/u/#{target_user.username}/activity/topics" @link = "#{Discourse.base_url}/u/#{target_user.username}/activity/topics"
@ -385,6 +388,10 @@ class ListController < ApplicationController
public_send(method, opts.merge(page_params)).sub('.json?', '?') public_send(method, opts.merge(page_params)).sub('.json?', '?')
end end
def ensure_can_see_profile!(target_user = nil)
raise Discourse::NotFound unless guardian.can_see_profile?(target_user)
end
def self.best_period_for(previous_visit_at, category_id = nil) def self.best_period_for(previous_visit_at, category_id = nil)
default_period = ((category_id && Category.where(id: category_id).pluck_first(:default_top_period)) || default_period = ((category_id && Category.where(id: category_id).pluck_first(:default_top_period)) ||
SiteSetting.top_page_default_timeframe).to_sym SiteSetting.top_page_default_timeframe).to_sym

1
app/controllers/posts_controller.rb
View File

@ -106,6 +106,7 @@ class PostsController < ApplicationController
def user_posts_feed def user_posts_feed
params.require(:username) params.require(:username)
user = fetch_user_from_params user = fetch_user_from_params
raise Discourse::NotFound unless guardian.can_see_profile?(user)
posts = Post.public_posts posts = Post.public_posts
.where(user_id: user.id) .where(user_id: user.id)

1
app/controllers/user_badges_controller.rb
View File

@ -33,6 +33,7 @@ class UserBadgesController < ApplicationController
params.permit [:grouped] params.permit [:grouped]
user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts)) user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
raise Discourse::NotFound unless guardian.can_see_profile?(user)
user_badges = user.user_badges user_badges = user.user_badges
if params[:grouped] if params[:grouped]

14
spec/requests/list_controller_spec.rb
View File

@ -524,6 +524,12 @@ RSpec.describe ListController do
json = response.parsed_body json = response.parsed_body
expect(json["topic_list"]["topics"].size).to eq(2) expect(json["topic_list"]["topics"].size).to eq(2)
end end
it "returns 404 if `hide_profile_and_presence` user option is checked" do
user.user_option.update_columns(hide_profile_and_presence: true)
get "/topics/created-by/#{user.username}.json"
expect(response.status).to eq(404)
end
end end
describe "private_messages" do describe "private_messages" do
@ -622,4 +628,12 @@ RSpec.describe ListController do
expect(ListController.best_periods_for(nil, :daily)).to eq([:daily, :all]) expect(ListController.best_periods_for(nil, :daily)).to eq([:daily, :all])
end end
end end
describe "user_topics_feed" do
it "returns 404 if `hide_profile_and_presence` user option is checked" do
user.user_option.update_columns(hide_profile_and_presence: true)
get "/u/#{user.username}/activity/topics.rss"
expect(response.status).to eq(404)
end
end
end end

10
spec/requests/posts_controller_spec.rb
View File

@ -1644,6 +1644,16 @@ describe PostsController do
expect(body).to_not include(private_post.topic.slug) expect(body).to_not include(private_post.topic.slug)
expect(body).to include(public_post.topic.slug) expect(body).to include(public_post.topic.slug)
end end
it "returns 404 if `hide_profile_and_presence` user option is checked" do
user.user_option.update_columns(hide_profile_and_presence: true)
get "/u/#{user.username}/activity.rss"
expect(response.status).to eq(404)
get "/u/#{user.username}/activity.json"
expect(response.status).to eq(404)
end
end end
describe '#latest' do describe '#latest' do

7
spec/requests/user_badges_controller_spec.rb
View File

@ -44,6 +44,13 @@ describe UserBadgesController do
expect(parsed["user_badges"].length).to eq(1) expect(parsed["user_badges"].length).to eq(1)
end end
it "returns 404 if `hide_profile_and_presence` user option is checked" do
user.user_option.update_columns(hide_profile_and_presence: true)
get "/user-badges/#{user.username}.json"
expect(response.status).to eq(404)
end
it 'returns user_badges for a user with period in username' do it 'returns user_badges for a user with period in username' do
user.update!(username: "myname.test") user.update!(username: "myname.test")
get "/user-badges/#{user.username}", xhr: true get "/user-badges/#{user.username}", xhr: true