FIX: Always noindex /u routes (#27712)

SiteSetting.hide_user_profiles_from_public raises a Forbidden, which disallows our after_action: add no index header from triggering. This fix makes sure that the no index header gets added via before_action instead
2024-11-23 09:26:54 -06:00 · 2024-07-04 19:48:38 +08:00 · 2024-07-04 19:48:38 +08:00 · 8bbb4c5cca
commit 8bbb4c5cca
parent e3b6be15b8
2 changed files with 8 additions and 1 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -105,7 +105,7 @@ class UsersController < ApplicationController
                     ]
  skip_before_action :redirect_to_profile_if_required, only: %i[show staff_info update]

-  after_action :add_noindex_header, only: %i[show my_redirect]
+  before_action :add_noindex_header, only: %i[show my_redirect]

  allow_in_staff_writes_only_mode :admin_login
  allow_in_staff_writes_only_mode :email_login
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -4556,6 +4556,7 @@ RSpec.describe UsersController do
        expect(parsed["username"]).to eq(user.username)
        expect(parsed["profile_hidden"]).to be_blank
        expect(parsed["trust_level"]).to be_present
+        expect(response.headers["X-Robots-Tag"]).to eq("noindex")
      end

      it "returns a hidden profile" do
@ -4568,11 +4569,13 @@ RSpec.describe UsersController do
        expect(parsed["username"]).to eq(user.username)
        expect(parsed["profile_hidden"]).to eq(true)
        expect(parsed["trust_level"]).to be_blank
+        expect(response.headers["X-Robots-Tag"]).to eq("noindex")
      end

      it "should 403 for anonymous user when profiles are hidden" do
        SiteSetting.hide_user_profiles_from_public = true
        get "/u/#{user.username}.json"
+        expect(response.headers["X-Robots-Tag"]).to eq("noindex")
        expect(response).to have_http_status(:forbidden)
        get "/u/#{user.username}/messages.json"
        expect(response).to have_http_status(:forbidden)
@ -4583,6 +4586,7 @@ RSpec.describe UsersController do
        get "/u/#{user.username}", headers: { "User-Agent" => "Googlebot" }
        expect(response).to have_http_status(:forbidden)
        expect(response.body).to have_tag("body.crawler")
+        expect(response.headers["X-Robots-Tag"]).to eq("noindex")
      end

      describe "user profile views" do
@ -4615,12 +4619,14 @@ RSpec.describe UsersController do
      it "returns not found when the username doesn't exist" do
        get "/u/madeuppity.json"
        expect(response).not_to be_successful
+        expect(response.headers["X-Robots-Tag"]).to eq("noindex")
      end

      it "returns not found when the user is inactive" do
        inactive = Fabricate(:user, active: false)
        get "/u/#{inactive.username}.json"
        expect(response).not_to be_successful
+        expect(response.headers["X-Robots-Tag"]).to eq("noindex")
      end

      it "returns success when show_inactive_accounts is true and user is logged in" do
@ -4634,6 +4640,7 @@ RSpec.describe UsersController do
        Guardian.any_instance.expects(:can_see?).with(user1).returns(false)
        get "/u/#{user1.username}.json"
        expect(response).to be_forbidden
+        expect(response.headers["X-Robots-Tag"]).to eq("noindex")
      end

      describe "user profile views" do