From 355aba50cf145b54f4001ac47597604579659ff9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20David=20Mart=C3=ADnez=20Cubillos?= Date: Wed, 13 Sep 2023 14:33:47 -0500 Subject: [PATCH] FIX: Return 403 instead of redirect on username routes when hiding profiles (#23545) * FIX: Return 403 instead of redirect on username routes when hidding profiles * Updated raised error to better reflect the problem to the user * implemented suggested changes --- app/controllers/users_controller.rb | 8 ++++++-- spec/requests/users_controller_spec.rb | 12 +++++++----- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 2dde4aae935..c0fd86f3189 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -106,7 +106,9 @@ class UsersController < ApplicationController end def show(for_card: false) - return redirect_to path("/login") if SiteSetting.hide_user_profiles_from_public && !current_user + if SiteSetting.hide_user_profiles_from_public && !current_user + raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403) + end @user = fetch_user_from_params( @@ -155,7 +157,9 @@ class UsersController < ApplicationController # This route is not used in core, but is used by theme components (e.g. https://meta.discourse.org/t/144479) def cards - return redirect_to path("/login") if SiteSetting.hide_user_profiles_from_public && !current_user + if SiteSetting.hide_user_profiles_from_public && !current_user + raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403) + end user_ids = params.require(:user_ids).split(",").map(&:to_i) raise Discourse::InvalidParameters.new(:user_ids) if user_ids.length > 50 diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index b9bb71453d1..a272fb710fe 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -4526,7 +4526,9 @@ RSpec.describe UsersController do it "should redirect to login page for anonymous user when profiles are hidden" do SiteSetting.hide_user_profiles_from_public = true get "/u/#{user.username}.json" - expect(response).to redirect_to "/login" + expect(response).to have_http_status(:forbidden) + get "/u/#{user.username}/messages.json" + expect(response).to have_http_status(:forbidden) end describe "user profile views" do @@ -4729,10 +4731,10 @@ RSpec.describe UsersController do expect(parsed["trust_level"]).to be_present end - it "should redirect to login page for anonymous user when profiles are hidden" do + it "should have http status 403 for anonymous user when profiles are hidden" do SiteSetting.hide_user_profiles_from_public = true get "/u/#{user.username}/card.json" - expect(response).to redirect_to "/login" + expect(response).to have_http_status(:forbidden) end end @@ -4788,10 +4790,10 @@ RSpec.describe UsersController do expect(parsed.map { |u| u["username"] }).to contain_exactly(user.username, user2.username) end - it "should redirect to login page for anonymous user when profiles are hidden" do + it "should have http status 403 for anonymous user when profiles are hidden" do SiteSetting.hide_user_profiles_from_public = true get "/user-cards.json?user_ids=#{user.id},#{user2.id}" - expect(response).to redirect_to "/login" + expect(response).to have_http_status(:forbidden) end context "when `hide_profile_and_presence` user option is checked" do