FIX: hide rss feed & json if a user profile is hidden.

2025-02-25 18:55:32 -06:00 · 2020-06-03 19:03:02 +05:30
parent fc0f112f16
commit 7fe414d35d
6 changed files with 40 additions and 0 deletions
--- a/app/controllers/list_controller.rb
+++ b/app/controllers/list_controller.rb
@@ -121,6 +121,8 @@ class ListController < ApplicationController
  def topics_by
    list_opts = build_topic_list_options
    target_user = fetch_user_from_params({ include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts) }, [:user_stat, :user_option])
+    ensure_can_see_profile!(target_user)
+
    list = generate_list_for("topics_by", target_user, list_opts)
    list.more_topics_url = construct_url_with(:next, list_opts)
    list.prev_topics_url = construct_url_with(:prev, list_opts)
@@ -205,6 +207,7 @@ class ListController < ApplicationController
  def user_topics_feed
    discourse_expires_in 1.minute
    target_user = fetch_user_from_params
+    ensure_can_see_profile!(target_user)

    @title = "#{SiteSetting.title} - #{I18n.t("rss_description.user_topics", username: target_user.username)}"
    @link = "#{Discourse.base_url}/u/#{target_user.username}/activity/topics"
@@ -385,6 +388,10 @@ class ListController < ApplicationController
    public_send(method, opts.merge(page_params)).sub('.json?', '?')
  end

+  def ensure_can_see_profile!(target_user = nil)
+    raise Discourse::NotFound unless guardian.can_see_profile?(target_user)
+  end
+
  def self.best_period_for(previous_visit_at, category_id = nil)
    default_period = ((category_id && Category.where(id: category_id).pluck_first(:default_top_period)) ||
          SiteSetting.top_page_default_timeframe).to_sym
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -106,6 +106,7 @@ class PostsController < ApplicationController
  def user_posts_feed
    params.require(:username)
    user = fetch_user_from_params
+    raise Discourse::NotFound unless guardian.can_see_profile?(user)

    posts = Post.public_posts
      .where(user_id: user.id)
--- a/app/controllers/user_badges_controller.rb
+++ b/app/controllers/user_badges_controller.rb
@@ -33,6 +33,7 @@ class UserBadgesController < ApplicationController
    params.permit [:grouped]

    user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
+    raise Discourse::NotFound unless guardian.can_see_profile?(user)
    user_badges = user.user_badges

    if params[:grouped]