Return 404 when filtering by a non-visible user in activity view (#35789).

Patch by Mischa The Evil. git-svn-id: http://svn.redmine.org/redmine/trunk@21209 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Marius Balteanu <marius.balteanu@zitec.com> 2021-09-06 18:40:14 +0000
committer: Marius Balteanu <marius.balteanu@zitec.com> 2021-09-06 18:40:14 +0000
commit: 1e65114d6894d7ce1ae6b7931d32e142971235c4 (patch)
tree: 1f80af0abcc5b3a16560333d84907c211ca7e493 /test
parent: 55ce8de0aea23397aafdee68e4e7be1beb6089a9 (diff)
download: redmine-1e65114d6894d7ce1ae6b7931d32e142971235c4.tar.gz
redmine-1e65114d6894d7ce1ae6b7931d32e142971235c4.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/test/functional/activities_controller_test.rb b/test/functional/activities_controller_test.rb
index 6a722d8a1..a759dab31 100644
--- a/test/functional/activities_controller_test.rb
+++ b/test/functional/activities_controller_test.rb
@@ -107,6 +107,18 @@ class ActivitiesControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_user_index_with_non_visible_user_id_should_respond_404
+    Role.anonymous.update! :users_visibility => 'members_of_visible_projects'
+    user = User.generate!
+
+    @request.session[:user_id] = nil
+    get :index, :params => {
+      :user_id => user.id
+    }
+
+    assert_response 404
+  end
+
   def test_index_atom_feed
     get(
       :index,
author	Marius Balteanu <marius.balteanu@zitec.com>	2021-09-06 18:40:14 +0000
committer	Marius Balteanu <marius.balteanu@zitec.com>	2021-09-06 18:40:14 +0000
commit	1e65114d6894d7ce1ae6b7931d32e142971235c4 (patch)
tree	1f80af0abcc5b3a16560333d84907c211ca7e493 /test
parent	55ce8de0aea23397aafdee68e4e7be1beb6089a9 (diff)
download	redmine-1e65114d6894d7ce1ae6b7931d32e142971235c4.tar.gz redmine-1e65114d6894d7ce1ae6b7931d32e142971235c4.zip