FIX: Ensure `username` param is valid in `NotificationsController`.

app/controllers/notifications_controller.rb

@@ -5,8 +5,14 @@ class NotificationsController < ApplicationController
   before_filter :ensure_logged_in
 
   def index
-    user = current_user
+    user =
-    user = User.find_by_username(params[:username].to_s) if params[:username]
+      if params[:username] && !params[:recent]
+        user_record = User.find_by(username: params[:username].to_s)
+        raise Discourse::InvalidParameters.new(:username) if !user_record
+        user_record
+      else
+        current_user
+      end
 
     guardian.ensure_can_see_notifications!(user)
 

spec/controllers/notifications_controller_spec.rb

@@ -5,14 +5,41 @@ describe NotificationsController do
   context 'when logged in' do
     let!(:user) { log_in }
 
-    it 'should succeed for recent' do
+    describe '#index' do
-      xhr :get, :index, recent: true
+      it 'should succeed for recent' do
-      expect(response).to be_success
+        xhr :get, :index, recent: true
-    end
+        expect(response).to be_success
+      end
 
-    it 'should succeed for history' do
+      it 'should succeed for history' do
-      xhr :get, :index
+        xhr :get, :index
-      expect(response).to be_success
+        expect(response).to be_success
+      end
+
+      it 'should mark notifications as viewed' do
+        notification = Fabricate(:notification, user: user)
+        expect(user.reload.unread_notifications).to eq(1)
+        expect(user.reload.total_unread_notifications).to eq(1)
+        xhr :get, :index, recent: true
+        expect(user.reload.unread_notifications).to eq(0)
+        expect(user.reload.total_unread_notifications).to eq(1)
+      end
+
+      it 'should not mark notifications as viewed if silent param is present' do
+        notification = Fabricate(:notification, user: user)
+        expect(user.reload.unread_notifications).to eq(1)
+        expect(user.reload.total_unread_notifications).to eq(1)
+        xhr :get, :index, recent: true, silent: true
+        expect(user.reload.unread_notifications).to eq(1)
+        expect(user.reload.total_unread_notifications).to eq(1)
+      end
+
+      context 'when username params is not valid' do
+        it 'should raise the right error' do
+          expect { xhr :get, :index, username: 'somedude' }
+            .to raise_error(Discourse::InvalidParameters)
+        end
+      end
     end
 
     it 'should succeed' do
@@ -20,24 +47,6 @@ describe NotificationsController do
       expect(response).to be_success
     end
 
-    it 'should mark notifications as viewed' do
-      notification = Fabricate(:notification, user: user)
-      expect(user.reload.unread_notifications).to eq(1)
-      expect(user.reload.total_unread_notifications).to eq(1)
-      xhr :get, :index, recent: true
-      expect(user.reload.unread_notifications).to eq(0)
-      expect(user.reload.total_unread_notifications).to eq(1)
-    end
-
-    it 'should not mark notifications as viewed if silent param is present' do
-      notification = Fabricate(:notification, user: user)
-      expect(user.reload.unread_notifications).to eq(1)
-      expect(user.reload.total_unread_notifications).to eq(1)
-      xhr :get, :index, recent: true, silent: true
-      expect(user.reload.unread_notifications).to eq(1)
-      expect(user.reload.total_unread_notifications).to eq(1)
-    end
-
     it "can update a single notification" do
       notification = Fabricate(:notification, user: user)
       notification2 = Fabricate(:notification, user: user)