From 9216eb6f3a4037ba94e1715eddde0b19c659655d Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Mon, 6 Sep 2021 21:03:39 +0000 Subject: [PATCH] Merged r21209 to 4.1-stable (#35789). git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@21216 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/activities_controller.rb | 2 +- test/functional/activities_controller_test.rb | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb index 3120d63a5..c45e46790 100644 --- a/app/controllers/activities_controller.rb +++ b/app/controllers/activities_controller.rb @@ -33,7 +33,7 @@ class ActivitiesController < ApplicationController @date_from = @date_to - @days @with_subprojects = params[:with_subprojects].nil? ? Setting.display_subprojects_issues? : (params[:with_subprojects] == '1') if params[:user_id].present? - @author = User.active.find(params[:user_id]) + @author = User.visible.active.find(params[:user_id]) end @activity = Redmine::Activity::Fetcher.new(User.current, :project => @project, diff --git a/test/functional/activities_controller_test.rb b/test/functional/activities_controller_test.rb index 4b3cea2f2..61a298c3a 100644 --- a/test/functional/activities_controller_test.rb +++ b/test/functional/activities_controller_test.rb @@ -96,6 +96,18 @@ class ActivitiesControllerTest < Redmine::ControllerTest assert_response 404 end + def test_user_index_with_non_visible_user_id_should_respond_404 + Role.anonymous.update! :users_visibility => 'members_of_visible_projects' + user = User.generate! + + @request.session[:user_id] = nil + get :index, :params => { + :user_id => user.id + } + + assert_response 404 + end + def test_index_atom_feed get :index, :params => { :format => 'atom', -- 2.39.5