FIX: Return 403 instead of redirect on username routes when hiding profiles (#23545)

* FIX: Return 403 instead of redirect on username routes when hidding profiles * Updated raised error to better reflect the problem to the user * implemented suggested changes
2025-01-18 17:52:45 +08:00 · 2023-09-13 14:33:47 -05:00 · 2023-09-13 14:33:47 -05:00 · 355aba50cf
commit 355aba50cf
parent 3d6b812220
2 changed files with 13 additions and 7 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -106,7 +106,9 @@ class UsersController < ApplicationController
  end

  def show(for_card: false)
-    return redirect_to path("/login") if SiteSetting.hide_user_profiles_from_public && !current_user
+    if SiteSetting.hide_user_profiles_from_public && !current_user
+      raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403)
+    end

    @user =
      fetch_user_from_params(
@ -155,7 +157,9 @@ class UsersController < ApplicationController

  # This route is not used in core, but is used by theme components (e.g. https://meta.discourse.org/t/144479)
  def cards
-    return redirect_to path("/login") if SiteSetting.hide_user_profiles_from_public && !current_user
+    if SiteSetting.hide_user_profiles_from_public && !current_user
+      raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403)
+    end

    user_ids = params.require(:user_ids).split(",").map(&:to_i)
    raise Discourse::InvalidParameters.new(:user_ids) if user_ids.length > 50
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -4526,7 +4526,9 @@ RSpec.describe UsersController do
      it "should redirect to login page for anonymous user when profiles are hidden" do
        SiteSetting.hide_user_profiles_from_public = true
        get "/u/#{user.username}.json"
-        expect(response).to redirect_to "/login"
+        expect(response).to have_http_status(:forbidden)
+        get "/u/#{user.username}/messages.json"
+        expect(response).to have_http_status(:forbidden)
      end

      describe "user profile views" do
@ -4729,10 +4731,10 @@ RSpec.describe UsersController do
        expect(parsed["trust_level"]).to be_present
      end

-      it "should redirect to login page for anonymous user when profiles are hidden" do
+      it "should have http status 403 for anonymous user when profiles are hidden" do
        SiteSetting.hide_user_profiles_from_public = true
        get "/u/#{user.username}/card.json"
-        expect(response).to redirect_to "/login"
+        expect(response).to have_http_status(:forbidden)
      end
    end

@ -4788,10 +4790,10 @@ RSpec.describe UsersController do
      expect(parsed.map { |u| u["username"] }).to contain_exactly(user.username, user2.username)
    end

-    it "should redirect to login page for anonymous user when profiles are hidden" do
+    it "should have http status 403 for anonymous user when profiles are hidden" do
      SiteSetting.hide_user_profiles_from_public = true
      get "/user-cards.json?user_ids=#{user.id},#{user2.id}"
-      expect(response).to redirect_to "/login"
+      expect(response).to have_http_status(:forbidden)
    end

    context "when `hide_profile_and_presence` user option is checked" do