SECURITY: Hide user's bio if profile is restricted (#15448)

The bio was sometimes visible in the meta tags even though it it should not have been.
2025-01-19 10:32:45 +08:00 · 2022-01-04 21:34:17 +02:00 · 2022-01-04 21:34:17 +02:00 · 9a97ce1899
commit 9a97ce1899
parent 75fa5ee748
2 changed files with 11 additions and 1 deletions
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@ -97,7 +97,7 @@ module UserGuardian
  end

  def restrict_user_fields?(user)
-    user.trust_level == TrustLevel[0] && anonymous?
+    (user.trust_level == TrustLevel[0] && anonymous?) || !can_see_profile?(user)
  end

  def can_see_staff_info?(user)
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -3571,6 +3571,16 @@ describe UsersController do
      expect(response.body).to include(user.username)
    end

+    it "should not be able to view a private user profile" do
+      user1.user_profile.update!(bio_raw: "Hello world!")
+      user1.user_option.update!(hide_profile_and_presence: true)
+
+      get "/u/#{user1.username}"
+
+      expect(response.status).to eq(200)
+      expect(response.body).not_to include("Hello world!")
+    end
+
    describe 'when username contains a period' do
      before do
        user.update!(username: 'test.test')