From 61db562a5f629c3f7f10e0efc7863f433128aa12 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Thu, 14 Mar 2024 12:44:14 +0800 Subject: [PATCH] Fix user router possbile panic (#29751) (#29786) regression from #28023 backport #29751 --- routers/web/user/home.go | 7 +++++-- tests/integration/user_test.go | 9 +++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/routers/web/user/home.go b/routers/web/user/home.go index 285c18c1f9..45deb026e4 100644 --- a/routers/web/user/home.go +++ b/routers/web/user/home.go @@ -824,12 +824,16 @@ func UsernameSubRoute(ctx *context.Context) { reloadParam := func(suffix string) (success bool) { ctx.SetParams("username", strings.TrimSuffix(username, suffix)) context_service.UserAssignmentWeb()(ctx) + if ctx.Written() { + return false + } + // check view permissions if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) { ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name)) return false } - return !ctx.Written() + return true } switch { case strings.HasSuffix(username, ".png"): @@ -850,7 +854,6 @@ func UsernameSubRoute(ctx *context.Context) { return } if reloadParam(".rss") { - context_service.UserAssignmentWeb()(ctx) feed.ShowUserFeedRSS(ctx) } case strings.HasSuffix(username, ".atom"): diff --git a/tests/integration/user_test.go b/tests/integration/user_test.go index ddde415960..c35c920dbd 100644 --- a/tests/integration/user_test.go +++ b/tests/integration/user_test.go @@ -243,6 +243,8 @@ func testExportUserGPGKeys(t *testing.T, user, expected string) { } func TestGetUserRss(t *testing.T) { + defer tests.PrepareTestEnv(t)() + user34 := "the_34-user.with.all.allowedChars" req := NewRequestf(t, "GET", "/%s.rss", user34) resp := MakeRequest(t, req, http.StatusOK) @@ -253,6 +255,13 @@ func TestGetUserRss(t *testing.T) { description, _ := rssDoc.ChildrenFiltered("description").Html() assert.EqualValues(t, "<p dir="auto">some <a href="https://commonmark.org/" rel="nofollow">commonmark</a>!</p>\n", description) } + + req = NewRequestf(t, "GET", "/non-existent-user.rss") + MakeRequest(t, req, http.StatusNotFound) + + session := loginUser(t, "user2") + req = NewRequestf(t, "GET", "/non-existent-user.rss") + session.MakeRequest(t, req, http.StatusNotFound) } func TestListStopWatches(t *testing.T) {