Merged r21209 to 4.1-stable (#35789).

git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@21216 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb
index 3120d63a5ac77dc8297b12d63049d6e90a2848ea..c45e4679008845e4e157cabb5b6526840b9e6017 100644 (file)
--- a/app/controllers/activities_controller.rb
+++ b/app/controllers/activities_controller.rb
@@ -33,7 +33,7 @@ class ActivitiesController < ApplicationController
     @date_from = @date_to - @days
     @with_subprojects = params[:with_subprojects].nil? ? Setting.display_subprojects_issues? : (params[:with_subprojects] == '1')
     if params[:user_id].present?
-      @author = User.active.find(params[:user_id])
+      @author = User.visible.active.find(params[:user_id])
     end
 
     @activity = Redmine::Activity::Fetcher.new(User.current, :project => @project,

diff --git a/test/functional/activities_controller_test.rb b/test/functional/activities_controller_test.rb
index 4b3cea2f21908c76f6fe69e95468459ee8c32db4..61a298c3add4ea82c04d2bc1c010080d220ce1c4 100644 (file)
--- a/test/functional/activities_controller_test.rb
+++ b/test/functional/activities_controller_test.rb
@@ -96,6 +96,18 @@ class ActivitiesControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_user_index_with_non_visible_user_id_should_respond_404
+    Role.anonymous.update! :users_visibility => 'members_of_visible_projects'
+    user = User.generate!
+
+    @request.session[:user_id] = nil
+    get :index, :params => {
+      :user_id => user.id
+    }
+
+    assert_response 404
+  end
+
   def test_index_atom_feed
     get :index, :params => {
         :format => 'atom',